US20180077193A1 - Ordered computer vulnerability remediation reporting - Google Patents

Ordered computer vulnerability remediation reporting Download PDF

Info

Publication number
US20180077193A1
US20180077193A1 US15/817,886 US201715817886A US2018077193A1 US 20180077193 A1 US20180077193 A1 US 20180077193A1 US 201715817886 A US201715817886 A US 201715817886A US 2018077193 A1 US2018077193 A1 US 2018077193A1
Authority
US
United States
Prior art keywords
vulnerability
computing
data
vulnerabilities
asset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US15/817,886
Other versions
US10305925B2 (en
Inventor
Michael Roytman
Edward T. Bellis
Jeffrey Heuer
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kenna Security LLC
Original Assignee
Kenna Security LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kenna Security LLC filed Critical Kenna Security LLC
Priority to US15/817,886 priority Critical patent/US10305925B2/en
Publication of US20180077193A1 publication Critical patent/US20180077193A1/en
Application granted granted Critical
Publication of US10305925B2 publication Critical patent/US10305925B2/en
Assigned to KENNA SECURITY, INC. reassignment KENNA SECURITY, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BELLIS, EDWARD T., HEUER, JEFFREY, ROYTMAN, MICHAEL
Assigned to Risk I/O, Inc. reassignment Risk I/O, Inc. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BELLIS, EDWARD T., HEUER, JEFFREY, ROYTMAN, MICHAEL
Assigned to Risk I/O, Inc. reassignment Risk I/O, Inc. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ROYTMAN, MICHAEL
Assigned to KENNA SECURITY, INC. reassignment KENNA SECURITY, INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: Risk I/O, Inc.
Assigned to KENNA SECURITY LLC reassignment KENNA SECURITY LLC CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: KENNA SECURITY, INC.
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0631Resource planning, allocation, distributing or scheduling for enterprises or organisations
    • G06Q10/06311Scheduling, planning or task assignment for a person or group

Definitions

  • the present disclosure generally relates to providing information technology (IT) security risk information.
  • the disclosure relates more specifically to techniques for correlating IT security risks from various security risk sources.
  • the enterprise's IT security team spends additional resources and incurs further costs in analyzing the data generated by the security vulnerability assessment tools and IT auditors in order to distinguish between the more critical IT security risks and the less critical ones.
  • the enterprise's IT security team's further efforts fail to satisfactorily defend against the most likely and potentially successful attacks on the enterprise's IT assets. This problem is further exacerbated as the number of IT assets utilized by an enterprise grows at a rapid pace because the amount of vulnerability data generated by numerous security vulnerability tools and IT auditors would consequently grow at a significantly faster pace.
  • FIG. 1 illustrates an example arrangement of providing customer with IT security risk information.
  • FIG. 2 illustrates functional logic of an embodiment as implemented in an application server coupled to a data storage unit.
  • FIG. 3 illustrates a method of identifying vulnerabilities based on breach data.
  • FIG. 4 illustrates an example arrangement of a graphical user interface for presenting risk information related to computing assets of a customer.
  • FIG. 5 illustrates a method of generating a risk score based on one or more vulnerabilities of a computing asset.
  • FIG. 6A-6B are block diagrams that depict an example arrangement of a graphical user interface of a dashboard.
  • FIG. 7 illustrates a method of prioritizing a set of remediations.
  • FIG. 8 illustrates a computer system upon which an embodiment may be implemented.
  • a method for identifying vulnerabilities that are most vulnerable to a breach.
  • vulnerability data that indicates a set of vulnerabilities of computing assets in a customer network are received at, for example, an application server.
  • Breach data that indicates a set of breaches that occurred outside the customer network are received at the application server.
  • a subset of the set of vulnerabilities that are most vulnerable to the breach are identified, based on the breach data.
  • Result data that identifies the subset of the set of vulnerabilities that are most vulnerable to a breach is displayed on the device.
  • a plurality of vulnerabilities of a computing asset are determined.
  • a risk score for the computing asset is generated based on the plurality of vulnerabilities.
  • a graphic that represents the risk score may be displayed and, in response to user selection, cause information about a subset of the vulnerabilities to be displayed.
  • a set of remediations associated with a risk score and a set of vulnerabilities are identified.
  • a remediation may be any solution to resolve a vulnerability of a computing asset.
  • An amount by which the risk score would be reduced is determined for each remediation in the set of remediations, if the remediation is applied to a corresponding vulnerability in the set of vulnerabilities.
  • the set of remediations are ordered based on the amount determined for each remediation in the set of remediations.
  • Embodiments encompass a data processing system, a computer apparatus, or a computer-readable medium configured to carry out the foregoing steps.
  • a computing asset may be any technology that enables or performs computations, such as, a programming language, source code, a software application, a database, an operating system, a desktop computer, a server, or a hardware computing or communication device.
  • vulnerability data of an enterprise's IT security team may be generated that includes information regarding the likelihood that an exploit of a particular vulnerability of a particular asset will be successful.
  • a business organization owns numerous computing assets and uses several security vulnerability assessment tools to detect vulnerabilities in the computing assets. Additionally, the computing assets are periodically audited by IT auditors. The data gathered and presented by the assessment tools and the IT auditors may inform the business organization of the vulnerabilities of their computing assets; however, the business organization has no information upon which it can rely on to effectively and efficiently determine which of the vulnerabilities pose the most significant threat to the organization and address the vulnerabilities accordingly. Therefore, the business organization must still expend additional time and financial and human resources in determining the vulnerabilities that are most likely to allow for a breach of a computing asset to occur.
  • a vulnerability threat management platform requests data about breaches, exploits, vulnerabilities of computing assets from various data sources such as Alien Vault's Open Threat Exchange, RiskDB, the National Vulnerability Database, the Web Applications Security Consortium (WASC), the Exploit Database, SHODAN, and the Metasploit Project.
  • a breach is a successful exploit. That is, a breach is a successful attack on a computing asset by successfully exploiting a vulnerability of the computing asset.
  • the vulnerability threat management platform may also request or be provided with data from one or more customers, comprising of information of vulnerabilities associated with each customer's computing assets.
  • the vulnerability threat management platform may then, for each customer, correlate each vulnerability of the customer's computing asset to all breaches of the vulnerability.
  • the vulnerability threat management platform may then provide a ranked or ordered list of vulnerabilities which represent the order in which the vulnerabilities should be addressed, such that the vulnerability that poses the most significant threat is addressed first and the one that poses the least significant threat is addressed last.
  • the vulnerability threat management platform may provide a quantified measure, known as a risk score herein, to indicate how vulnerable a particular asset may be of being successfully exploited or breached.
  • the risk score may be a numerical value in a range of numerical values. For example, the risk score may represent a value between 0 and 1000, where the higher the number, the more at risk that particular computing asset or group of assets is of being successfully exploited or breached.
  • a risk score for a vulnerability or a computing asset may not only be based on a likelihood of a breach occurring with respect to that vulnerability or asset, but also based on how important the impact of a vulnerability exploit or asset is.
  • a computing asset may have two vulnerabilities, each of which have the same likelihood of being breached. However, one of the two vulnerabilities, if breached, results in sensitive financial information being accessible to unscrupulous users while the other vulnerability, if breached, results in the ability by unscrupulous users to merely post an innocuous message.
  • the vulnerability threat management platform may provide a risk score for each computing asset and/or a group of computing assets.
  • the risk score may be determined by considering all vulnerabilities a particular asset may have. Thus, rather than simply having information about a list of vulnerabilities, the customer has an ordered list of at-risk computing assets such that the customer may now easily know which computing asset or vulnerability the customer should attempt to address first.
  • the Vulnerability threat management platform also provides an ordered list of remediations, which can be used to resolve one or more vulnerabilities of one or more computing assets. For example, a particular computing asset may have a number of vulnerabilities, and a particular remediation may address one or more of the vulnerabilities of computing asset.
  • the application of the remediation will reduce the computing asset's risk score, where application or utilization of the first remediation on the list will most significantly reduce the risk score of the asset, and application or utilization of the last remediation on the list will least significantly reduce the risk score of the asset.
  • the customer may now completely eliminate the additional costs associated with searching for a solution for a particular vulnerability and/or determining which of the available solutions will most significantly reduce the computing asset's risk score.
  • a data storage unit in this context, may be any electronic digital data recording device configured to store data according to a set of rules and in any format, such as a flat file, a database, a data mart, a data warehouse or other storage units.
  • a data source in this context, may be any electronic digital data storage unit capable of providing data to a requesting entity at a frequency of a particular time interval or on-demand.
  • FIG. 1 illustrates an example arrangement of assessing one or more computing assets' risk of being breached using external threat data and vulnerabilities of the one or more computing assets.
  • threat data may refer to any information related to security or risks posed by one or more vulnerabilities of a computing asset.
  • FIG. 1 depicts a networked computer system that includes a vulnerability threat management platform 115 , a plurality of data sources 101 , 102 , 103 , a data storage unit 112 , and a plurality of customers 104 a , 104 b , 104 c.
  • data sources 101 , 102 , 103 publish or provide particular threat-related data.
  • Sources 101 - 103 may publish the thread-related data at a particular time interval.
  • data source 101 may publish or provide vulnerability related data 106 every hour
  • data source 102 may publish or provide exploit related data 107 every half hour
  • data source 103 may also publish or provide breach related data 108 every 45 minutes.
  • the frequency at which data sources 101 , 102 , 103 publish or provide information may be independent of each other.
  • vulnerability threat management platform 115 requests data 106 , 107 , 108 at the particular time intervals that they become available.
  • data sources 101 , 102 , 103 may directly send data 106 , 107 , 108 , respectively, to vulnerability threat management platform 115 at the time such data becomes available.
  • Customers 104 a , 104 b , 104 c provide, to vulnerability threat management platform 115 , vulnerability data that indicates vulnerabilities of their computing assets, 109 , 110 , 111 , respectively. Additionally, customers 104 a , 104 b , 104 c , may provide contextual information related to a particular computing asset, such as a relative importance of the particular computing asset. For example, one particular computing asset of a customer may be absolutely critical for the customer to carry out its day-to-day operations. Therefore, the customer may indicate that the particular computing asset is the most important of its computing assets. As another example, all computing assets that a customer “tags” as important may be considered equally important while all other non-tagged computing assets may be treated as equally less important (at least relative to the tagged assets).
  • vulnerability threat management platform 115 is hosted by a customer and, thus, interaction with other customers 104 a - 104 c is not necessary.
  • vulnerability data 109 - 111 may not be relevant since the customer may implement Vulnerability threat management platform 115 only for its own benefit.
  • vulnerability threat management platform 115 is hosted on an application server computer capable of executing procedures, such as programs, routines, scripts or other computer executable commands, necessary for supporting the vulnerability intelligence platform.
  • An example of a Vulnerability threat management platform is Vulnerability Threat Monitoring and Prioritization Platform, commercially available from Risk I/O, Incorporated, Chicago, Ill.
  • Vulnerability threat management platform 115 is coupled with data storage unit 112 .
  • data storage unit 112 may store contextual information related to customers using Vulnerability threat management platform 115 .
  • FIG. 2 illustrates functional logic of an embodiment of a vulnerability threat management platform implemented on an application server computer coupled with a data storage unit.
  • the application server computer comprises of at least one instance of vulnerability threat management platform 115 .
  • Vulnerability threat management platform 115 may include or may be coupled to an HTTP server and may be configured to serve HTML documents that browser programs at the customers 104 a - 104 c can receive, render, and display.
  • vulnerability threat management platform 115 includes a threat data unit 201 .
  • threat data unit 201 may be coupled to the data storage unit 112 .
  • Threat data unit 201 receives vulnerability data 106 , exploit data 107 , and breach data 108 and stores them in storage unit 112 .
  • vulnerability, exploit, and breach data received at threat data unit 201 may be stored in storage unit 112 according to vulnerability identifier, such as a CVE-ID or a WASC ID.
  • threat data unit 201 may be configured to fetch data from various vulnerability, exploit and breach data sources at a defined time interval. The time interval defined to fetch data may depend upon the frequency at which the data sources make the data available.
  • vulnerability and breach data unit 201 may be configured to fetch data from vulnerability data source every hour, exploit data source every forty five minutes, and breach data source at every thirty minutes.
  • vulnerability threat management platform 115 includes a customer data unit 202 .
  • Customer data unit 202 is configured to receive vulnerability data 109 , 110 , 111 , from customers.
  • customer data unit 202 may be coupled to storage unit 112 and may be configured to store vulnerability data received from customers in storage unit 112 .
  • Customer data unit 202 may also be configured to receive data related to customer preferences and store that data in storage unit 112 . For example, customers may send data related to importance of one computing asset relative to other computing assets, or information related to grouping of particular computing assets.
  • vulnerability threat management platform 115 includes a risk assessment unit 203 .
  • Risk assessment unit 203 may be coupled to threat data unit 201 , customer data unit 202 , contextual data unit 204 , display unit 205 , and storage unit 112 .
  • Risk assessment unit 203 may be configured to determine rank or order of vulnerabilities of customer's computing assets or group of computing assets.
  • Risk assessment unit 203 may also be configured to determine a risk score for a computing asset or group of computing assets, and may also be configured to determine a ranked or ordered list of remediations for a computing asset or a group of computing assets.
  • risk assessment unit 203 ranks or orders a list of vulnerabilities of a computing asset based on successful active breaches of the particular vulnerability.
  • Risk assessment unit 203 may determine the number successful active breaches of a particular vulnerability based on the breach data 108 stored in storage unit 112 .
  • risk assessment unit 203 ranks or orders the list of vulnerabilities based on the number of exploits available for each vulnerability in addition to a number of active breaches of a particular vulnerability.
  • risk assessment unit 203 determines the number of exploits based on exploit data 107 .
  • Risk assessment unit 203 may also rank or order the list of vulnerabilities based on the CVSS score of a vulnerability in addition to the number of breaches of a particular vulnerability.
  • Risk assessment unit 203 may store the ranked or ordered list of vulnerabilities in storage unit 112 .
  • Risk assessment unit 203 may also determine a risk score for a computing asset or a group of computing assets based on the contextual data, of the computing asset or group of computing assets, provided from contextual data unit 204 .
  • contextual data unit 204 selects contextual factors relevant to the computing asset and/or the customer that owns the computing asset from storage unit 112 and provides the contextual factors to risk assessment unit 203 .
  • risk assessment unit 203 stores the risk score in storage unit 112 .
  • risk assessment unit 203 adjusts the risk score of a computing asset or a group of computing assets such that the risk score reflects qualitative factors, such as importance of a computing asset (or group of computing assets) to the customer, or a computing asset's popularity across the Internet.
  • risk assessment unit 203 ranks or orders a list of remediations to address the vulnerabilities of a computing asset or a group of computing assets. Risk assessment unit 203 determines the rank or order of the list of remediations for vulnerabilities based on the impact of each particular remediation on a risk score of a computing asset or a group of computing assets. Risk assessment unit 203 may store the ranked or ordered list of remediations in storage unit 112 .
  • risk assessment unit 203 determines the impact of a particular remediation on a risk score based on the number of vulnerabilities the particular remediation resolves. Risk assessment unit 203 may also rank or order a list of remediations based on ease of implementation or application of a particular remediation. Therefore, a customer that is presented with the list of remediations may be confident to rely on the list for the easiest remediations that have the largest impact on reducing the risk posed by vulnerabilities of a computing asset.
  • risk assessment unit 203 provides such data to display unit 205 .
  • Display unit 205 may be configured to cause data 120 - 122 to be displayed to customers.
  • display unit 205 alters its presentation of data to customers from a default presentation, based on customer preferences for data presentation.
  • vulnerability threat management platform 115 may be implemented by a customer only for its benefit. Thus, there would be no other customers 104 a - 104 c involved. Furthermore, result data 120 - 122 would not be generated for any other customers.
  • Vulnerability threat management platform 115 analyzes the vulnerability data of computing assets of customers 104 a - 104 c , against threat data from various sources, such as data sources 101 - 103 , and provides result data 120 - 122 to customers 104 a - 104 c , respectively.
  • Result data 120 - 122 includes information related to risks that the corresponding customer faces because of the vulnerabilities of the corresponding customer's computing assets.
  • the result data may identify one or more of the most important vulnerabilities of a customer (based on breach data associated with the vulnerabilities). For example, the top five vulnerabilities with the highest number of breaches (or the vulnerabilities that are associated with at least a threshold number of breaches) in a most recent time interval are identified and information about those vulnerabilities are provided in the result data.
  • Result data for a particular customer may be provided automatically to that customer or may be provided to the customer upon request.
  • the information related to risks posed by the vulnerabilities may be presented as a ranked or ordered list of vulnerabilities, where the first vulnerability on the ranked or ordered list indicates the vulnerability that will most likely be exploited.
  • vulnerability threat management platform 115 ranks or orders the list of vulnerabilities based off the number of breaches of a particular vulnerability. For example, the number of breaches of vulnerability CVE-2014-0001 is 5 and number of breaches of vulnerability CVE-2014-0002 is 7. Vulnerability threat management platform 115 may determine that CVE-2014-0002 is more likely to be exploited and rank CVE-2014-0002 higher than CVE-2014-0001.
  • a breach is a successful exploit. Relying upon breach data to determine and predict the vulnerability that is most likely to be exploited, and thus pose the most serious risk to the computing asset, is more accurate and reliable than relying upon threat data comprising only of existing exploits of a vulnerability or a Common Vulnerability Scoring System (CVSS) score of a vulnerability. Additionally, reliance only upon existence of an exploit of a vulnerability and/or CVSS score of vulnerability, often provides incomplete and thus misleading information about the significance of the risk posed by the vulnerability to the computing asset. For example, it is possible to have a vulnerability with a high CVSS score, indicating that it is a critical vulnerability. However, no recent successful exploits, or breaches, of the vulnerability may have occurred. Therefore, while the vulnerability may be critical according to its CVSS score, it does not pose a significant threat to the computing asset since it is unlikely to be breached.
  • CVSS Common Vulnerability Scoring System
  • vulnerability threat management platform 115 rank or orders the list of vulnerabilities based on a number of exploits available for each vulnerability in addition to a number of breaches of each vulnerability.
  • exploit data 107 includes a vulnerability identifier to indicate a particular vulnerability and a number of exploits for each vulnerability.
  • Vulnerability threat management platform 115 may determine the number of exploits for each vulnerability based on the vulnerability identifier.
  • Vulnerability threat management platform 115 may also rank or order the list of vulnerabilities based on the CVSS score of a vulnerability in addition to the number of breaches of a particular vulnerability.
  • vulnerability threat management platform 115 may either fetch breach data at a particular time interval or receive breach data at a particular time interval, vulnerability threat management platform 115 may periodically analyze vulnerabilities of each customer against the freshly fetched or received breach data.
  • a customer's vulnerabilities may be analyzed in a similar frequency as the frequency at which breach data is fetched or received, thereby providing, in near real-time, reassessment of the customer's vulnerabilities.
  • FIG. 3 illustrates an example method for identifying a subset of vulnerabilities from a set of vulnerabilities that are most vulnerable to a breach based on breach data.
  • the operations described for FIG. 3 may be performed by vulnerability threat management platform 115 of FIG. 1 or FIG. 2 , but other embodiments may implement the same functions in other contexts using other computing devices.
  • step 310 vulnerability data that indicates a set of vulnerabilities of computing assets in a customer network is received from a first source.
  • the first source may be a customer.
  • the vulnerability data received from the first source may include, for each vulnerability, the vulnerability identifier, such as a CVE-ID or WASC ID.
  • breach data that indicates a set of breaches that occurred outside of the customer network is received from a second source.
  • Breach data may indicate a frequency with which each breach in the set of breaches occurred outside the customer network. For example, for vulnerability V1, the breach data may indicate 89 in the last 30 minutes while for vulnerability V2, the breach data may indicate 23 in the last 30 minutes.
  • the second source may be an external data source that provides a breach data feed at a periodic time interval.
  • breach data may be received from more than one source, where the other sources are different from the first or second sources.
  • a subset of the set vulnerabilities that are most vulnerable to a breach are identified based on the breach data received.
  • the identification of the subset of vulnerabilities that are most vulnerable to a breach is based on matching vulnerability identifiers of the set of vulnerabilities with vulnerability identifiers in the breach data.
  • the identified subset of vulnerabilities is ranked based on the number of times a vulnerability in the subset of vulnerabilities has been breached.
  • a subset of the set vulnerabilities that are most vulnerable to a breach are identified based on the breach data received and the number of exploits available for each vulnerability indicated in the exploit data received.
  • a subset of the set vulnerabilities that are most vulnerable to a breach are identified based on the breach data received and the CVSS score of a vulnerability included in the vulnerability data received.
  • result data that identifies the subset of vulnerabilities is caused to be displayed on the screen of a computing device.
  • the subset of vulnerabilities that are displayed on the screen of a computing device is a ranked or ordered subset of vulnerabilities.
  • each computing asset of the computing assets in the customers network is one of a database, an operating system, an application, a desktop computer, a mobile computer, a server, or source code.
  • a risk score may be a numerical value in a range of numerical values, such as between 0 and 1000, and indicates how vulnerable a particular asset may be of being successfully exploited or breached.
  • vulnerability threat management platform 115 determines a risk score based upon several contextual factors, including, but not limited to, a number of active breaches of each of the vulnerabilities of the computing asset, the prevalence (or number) of available exploits for each vulnerability, popularity of the computing asset or how widely the computing asset is used in the customer's industry or across all industries, difficulty of exploiting the vulnerability, and importance of the computing asset to the customer.
  • the risk score of a computing asset may reflect the risk posed by the most vulnerable vulnerability of the computing asset's vulnerabilities.
  • the vulnerability that is most likely at risk of being successfully exploited or breached may represent the risk score of the computing asset instead of simply being, for example, an average of multiple risk scores associated with vulnerabilities of the computing asset.
  • the risk score of a computing asset may be provided to a customer upon receiving a request from the customer for a risk score of the computing asset.
  • the risk score of a computing asset may be forwarded to the customer once analysis of the computing asset's vulnerabilities is completed and the computing asset's risk score is determined.
  • vulnerability threat management platform 115 provides a risk score for a computing asset or a group of computing assets.
  • Vulnerability threat management platform 115 may determine multiple computing assets to be grouped based on customer input. For example, some of the computing assets of a financial services company are responsible for maintaining and storing sensitive personal information of customers of the financial services company. Determining the risk of these computing assets being breached may be very important to the financial services company or even required of the financial services company. Therefore, the financial services company may request a risk assessment of a group comprising of the particular assets responsible for maintaining and storing sensitive personal information. Vulnerability threat management platform 115 may then provide a risk score representing the group's risk of being breached.
  • computing assets may be grouped together based on geographical location of computing assets, on the type of computing assets, on the subnet of computing assets, or on input from a customer (e.g., 104 a ).
  • the risk score of a group of computing assets may be an average of the risk scores of the computing assets. In some embodiments, the risk score of a group of computing assets may be determined using a more complex method than an average of risk scores. Alternatively, a risk score of a group of computing assets may be the highest risk score of any individual computing asset in the group of computing assets.
  • Vulnerability threat management platform 115 may also store information enabling a future grouping of the particular assets indicated in storage unit 112 such that vulnerability threat management platform 115 may retrieve the information in order to group the particular assets and determine a risk score the next time the customer requests for a risk assessment of the group of computing assets.
  • a range of colors may also be presented, in addition to the risk score, to indicate the criticality of the risk score to the customer. For example, if the risk score indicates that the particular computing asset is at a high risk of being breached, then the risk score may be encompassed within a ring of red color or the risk score itself may be presented in red color or it may be a combination of both, a ring of red color encompassing a risk score in red color.
  • a particular color may represent a range of risk scores such that it may present a visual cue to the seriousness of the risk. For example, green may be used to present a low level of risk, yellow may be used to present a medium level of risk and red may be used to present a high level of risk. There may be more or less risk score ranges than the three described herein.
  • FIG. 4 illustrates an example arrangement of a graphical user interface for presenting risk information related to computing assets of a customer.
  • color ring 401 displays a color that corresponds to a criticality of a risk score 402 .
  • color ring 401 may be filled with color in proportion to risk score 402 .
  • risk score of the ten assets is 290 out of 1000, therefore only 29 percent of color ring 401 is filled with a particular color.
  • colors may be predefined to represent certain risk score ranges.
  • green has been predefined to represent a risk score of at least 290.
  • risk score 402 is also presented in the color reflecting its criticality.
  • a combined graphical representation of color ring 401 and risk score 402 is referred to as a “risk meter.”
  • button 403 represents a list of ordered or ranked remediations that may be presented upon user clicking button 403 .
  • the list of ordered or ranked remediations may be presented upon hovering over button 403 .
  • Dropdown list 404 may be used to present asset groups described above. In an embodiment, dropdown list 404 may be used to view and switch between different asset groups in a fast and efficient manner to make it easy for customers to manager a large number of asset groups without wasting time searching for different assets.
  • grid 405 may be used to present asset information.
  • each asset may be presented in a separate row along with certain attributes of the asset indicated in columns of grid 405 , such as number of vulnerabilities of the asset, priority value of the asset, the location of asset over the internet, operating system(s) of the asset, one or more tags associated with the asset, and a creation date of the asset or vulnerability.
  • grid 405 may be interactive such that a user may apply changes to grid 405 and risk score 402 reflects the changes. For example, a user may change priority value of a particular asset, causing risk score 402 to be adjusted according to the newly given importance to the particular asset.
  • FIG. 5 depicts an example process for determining a risk score for one or more computing assets.
  • the steps indicated in FIG. 5 may be performed by vulnerability threat management platform 115 of FIG. 1 , FIG. 2 , but other embodiments may implement the same functions in other contexts using other computing devices.
  • a plurality of vulnerabilities of a computing asset are determined. Vulnerabilities of the computing asset may be based on vulnerability data provided by a customer.
  • a risk score for the computing asset is generated based on the plurality of vulnerabilities.
  • the risk score for the computing asset may also be based on certain contextual factors such as importance of the asset to the customer.
  • FIG. 5 depicts a process where a risk score is generated for a single computing asset
  • a risk score may be generated for a set of two or more computing assets.
  • a risk score for more than one computing asset may be based on vulnerabilities of each computing asset in the set of computing assets.
  • assets A1 and A2 each have a single vulnerability: V1 for A1 and V2 for A2.
  • a risk score is generated for the set that includes A1 and A2 based on V1 and V2.
  • a risk score may be generated for a set of two or more computing assets based on a single vulnerability for each computing asset in the set.
  • a risk score of a set of computing assets may be displayed on a screen of computing device.
  • An input that selects the risk score may be received and in response to receiving the input that selects the risk score, data that indicates each computing asset in the set of computing assets is displayed on screen.
  • the data that indicates each computing asset may include a risk score for the computing asset, vulnerabilities of the computing asset, and/or list of remediations to resolve the vulnerabilities of the computing asset.
  • a set of computing assets may be grouped based on geographical location of the computing assets in the set, the type of computing assets, the subnet of the computing assets, or customer input.
  • the risk scores of different computing assets or groups of computing assets may be displayed concurrently, referred to herein as a dashboard, to the customer.
  • vulnerability threat management platform 115 presents risk scores of computing assets to a customer in a manner that enables the customer to drill down into a group of computing assets and determine the risk score for each computing asset of the group of computing assets. Therefore, the customer is able to view a risk score for the particular computing asset without having to request a risk assessment for the particular computing asset, nor would the customer have to search the rest of the dashboard for the particular computing asset.
  • FIG. 6A-6B are block diagrams that depict an example arrangement of a graphical user interface of a dashboard.
  • a dashboard displays various risk meters 610 - 640 , where each risk meter includes risk information related to a particular computing asset group of a customer.
  • risk meter 610 corresponds to desktops in a customer's network while risk meter 630 corresponds to assets involved in the customer's ecommerce website.
  • the dashboard may be presented in a grid form as depicted in FIGS. 6A-6B .
  • Risk meters may be presented in such a manner such that clicking or hovering over a risk meter may display computing assets represented by the risk meter.
  • user selection of risk meter 610 may cause the dashboard depicted in FIG. 6B to be displayed, including group data 612 .
  • Group data 612 indicates a number of assets in the “Desktops” group, a number of vulnerabilities in that group, a number of vulnerabilities in the group that are considered “Top Priority” (according to some specified criteria), a number of active Internet breaches associated with vulnerabilities in the group, an number of “easily” exploitable vulnerabilities in the group, and a number of popular targets (indicating which vulnerabilities have been the target of the most breaches) in the group.
  • the dashboards represented in FIGS. 6A-6B also include total aggregate information, such as the total number of vulnerabilities in a customer network (74,005), the total number of “closed vulnerabilities” (9,751) (which are fixed or remediated vulnerabilities, the total number of assets in the customer network, and a vulnerability density (3,143), which may represent the average number of vulnerabilities per asset group or the median number of vulnerabilities across the asset groups.
  • the dashboards represented in FIGS. 6A-6B may also be fully customizable, such as customizing which asset groups are displayed first or at the top of a view, what information is displayed when a risk meter is selected, and alert information indicating whether an audio alert, visual alert, or message alert (e.g., text, IM) should be sent when a risk score for a risk meter exceeds a certain threshold and/or when multiple risk scores exceed a particular threshold.
  • an audio alert, visual alert, or message alert e.g., text, IM
  • vulnerability threat management platform 115 provides an ordered or ranked list of remediations applicable to the computing asset.
  • vulnerability threat management platform 115 analyzes vulnerability data 109 , 110 , 111 , sent by customers 104 a , 104 b , 104 c , respectively, and selects remediations based on mappings of vulnerabilities and remediations.
  • a remediation may be mapped to one or more vulnerabilities.
  • the list of remediations will be ordered or ranked according to the impact on the overall risk score of a computing asset or a group of computing assets.
  • the ranking or ordering of list remediations may also be based on ease of implementation or application (e.g., in terms of time and/or work required by the customer) of a remediation, where remediations that are easier to implement or apply are preferred over remediations that are more difficult to implement or apply.
  • remediation R1 takes about ten minutes to apply and remediation R2 takes about nine hours to apply.
  • R1 may be ranked higher than R2 even if R1 has a slightly higher impact on the risk score than the impact of R2 has on the risk score.
  • mappings of vulnerabilities and remediations may be stored in storage unit 112 .
  • vulnerability threat management platform 115 presents the list of remediations concurrently with ranked or ordered list of vulnerabilities of a computing asset or group of computing assets, or risk score of a computing asset or a group of computing assets, or both.
  • FIG. 7 illustrates an example method for determining a set of remediations for one or more vulnerabilities of a computing asset.
  • the example method may be performed by vulnerability threat management platform 115 of FIG. 1 or FIG. 2 , but other embodiments may implement the same functions in other contexts using other computing devices.
  • a set of remediations associated with a set of vulnerabilities is identified.
  • the remediations may be identified based on the identifiers of each vulnerability in the set of vulnerabilities.
  • the set of remediations may come from one of customers 104 a - 104 c , one of sources 101 - 103 , and/or another source, not depicted.
  • an amount that the risk score would be reduced if said each remediation is applied to a corresponding vulnerability in the set of vulnerabilities is determined.
  • the set of remediations is ordered based on the amount the risk score is reduced by each remediation in the set of remediations.
  • the set of remediations may also be ordered by ease of implementation of each remediation.
  • a customer is allowed to select a remediation to be applied to its corresponding vulnerability. Once applied and the vulnerability is removed, the set of remediations is updated to remove the selected remediation. Afterwards, an updated risk score may be generated based on the updated set of remediations. Also, blocks 520 and 530 may be performed again for the updated set of remediations and based on the updated risk score.
  • the embodiments described herein may enable for an assessment of risk associated with a computing asset and provide an effective and efficient manner in reducing the risk posed by one or more vulnerabilities of a computing asset or a group of computing assets.
  • the techniques described herein are implemented by one or more special-purpose computing devices.
  • the special-purpose computing devices may be hard-wired to perform the techniques, or may include digital electronic devices such as one or more application-specific integrated circuits (ASICs) or field programmable gate arrays (FPGAs) that are persistently programmed to perform the techniques, or may include one or more general purpose hardware processors programmed to perform the techniques pursuant to program instructions in firmware, memory, other storage, or a combination.
  • ASICs application-specific integrated circuits
  • FPGAs field programmable gate arrays
  • Such special-purpose computing devices may also combine custom hard-wired logic, ASICs, or FPGAs with custom programming to accomplish the techniques.
  • the special-purpose computing devices may be desktop computer systems, portable computer systems, handheld devices, networking devices or any other device that incorporates hard-wired and/or program logic to implement the techniques.
  • FIG. 8 is a block diagram that illustrates a computer system 800 upon which an embodiment of the invention may be implemented.
  • Computer system 800 includes a bus 802 or other communication mechanism for communicating information, and a hardware processor 804 coupled with bus 802 for processing information.
  • Hardware processor 804 may be, for example, a general purpose microprocessor.
  • Computer system 800 also includes a main memory 806 , such as a random access memory (RAM) or other dynamic storage device, coupled to bus 802 for storing information and instructions to be executed by processor 804 .
  • Main memory 806 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 804 .
  • Such instructions when stored in non-transitory storage media accessible to processor 804 , render computer system 800 into a special-purpose machine that is customized to perform the operations specified in the instructions.
  • Computer system 800 further includes a read only memory (ROM) 808 or other static storage device coupled to bus 802 for storing static information and instructions for processor 804 .
  • ROM read only memory
  • a storage device 810 such as a magnetic disk, optical disk, or solid-state drive is provided and coupled to bus 802 for storing information and instructions.
  • Computer system 800 may be coupled via bus 802 to a display 812 , such as a cathode ray tube (CRT), for displaying information to a computer user.
  • a display 812 such as a cathode ray tube (CRT)
  • An input device 814 is coupled to bus 802 for communicating information and command selections to processor 804 .
  • cursor control 816 is Another type of user input device
  • cursor control 816 such as a mouse, a trackball, or cursor direction keys for communicating direction information and command selections to processor 804 and for controlling cursor movement on display 812 .
  • This input device typically has two degrees of freedom in two axes, a first axis (e.g., x) and a second axis (e.g., y), that allows the device to specify positions in a plane.
  • Computer system 800 may implement the techniques described herein using customized hard-wired logic, one or more ASICs or FPGAs, firmware and/or program logic which in combination with the computer system causes or programs computer system 800 to be a special-purpose machine. According to one embodiment, the techniques herein are performed by computer system 800 in response to processor 804 executing one or more sequences of one or more instructions contained in main memory 806 . Such instructions may be read into main memory 806 from another storage medium, such as storage device 810 . Execution of the sequences of instructions contained in main memory 806 causes processor 804 to perform the process steps described herein. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions.
  • Non-volatile media includes, for example, optical disks, magnetic disks, or solid-state drives, such as storage device 810 .
  • Volatile media includes dynamic memory, such as main memory 806 .
  • storage media include, for example, a floppy disk, a flexible disk, hard disk, solid-state drive, magnetic tape, or any other magnetic data storage medium, a CD-ROM, any other optical data storage medium, any physical medium with patterns of holes, a RAM, a PROM, and EPROM, a FLASH-EPROM, NVRAM, any other memory chip or cartridge.
  • Storage media is distinct from but may be used in conjunction with transmission media.
  • Transmission media participates in transferring information between storage media.
  • transmission media includes coaxial cables, copper wire and fiber optics, including the wires that comprise bus 802 .
  • transmission media can also take the form of acoustic or light waves, such as those generated during radio-wave and infra-red data communications.
  • Various forms of media may be involved in carrying one or more sequences of one or more instructions to processor 804 for execution.
  • the instructions may initially be carried on a magnetic disk or solid-state drive of a remote computer.
  • the remote computer can load the instructions into its dynamic memory and send the instructions over a telephone line using a modem.
  • a modem local to computer system 800 can receive the data on the telephone line and use an infra-red transmitter to convert the data to an infra-red signal.
  • An infra-red detector can receive the data carried in the infra-red signal and appropriate circuitry can place the data on bus 802 .
  • Bus 802 carries the data to main memory 806 , from which processor 804 retrieves and executes the instructions.
  • the instructions received by main memory 806 may optionally be stored on storage device 810 either before or after execution by processor 804 .
  • Computer system 800 also includes a communication interface 818 coupled to bus 802 .
  • Communication interface 818 provides a two-way data communication coupling to a network link 820 that is connected to a local network 822 .
  • communication interface 818 may be an integrated services digital network (ISDN) card, cable modem, satellite modem, or a modem to provide a data communication connection to a corresponding type of telephone line.
  • ISDN integrated services digital network
  • communication interface 818 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN.
  • LAN local area network
  • Wireless links may also be implemented.
  • communication interface 818 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.
  • Network link 820 typically provides data communication through one or more networks to other data devices.
  • network link 820 may provide a connection through local network 822 to a host computer 824 or to data equipment operated by an Internet Service Provider (ISP) 826 .
  • ISP 826 in turn provides data communication services through the world wide packet data communication network now commonly referred to as the “Internet” 828 .
  • Internet 828 uses electrical, electromagnetic or optical signals that carry digital data streams.
  • the signals through the various networks and the signals on network link 820 and through communication interface 818 which carry the digital data to and from computer system 800 , are example forms of transmission media.
  • Computer system 800 can send messages and receive data, including program code, through the network(s), network link 820 and communication interface 818 .
  • a server 830 might transmit a requested code for an application program through Internet 828 , ISP 826 , local network 822 and communication interface 818 .
  • the received code may be executed by processor 804 as it is received, and/or stored in storage device 810 , or other non-volatile storage for later execution.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Techniques for ranking a set of vulnerabilities of a computing asset and set of remediations for a computing asset, and determining a risk score for one or more computing assets are provided. In one technique, vulnerabilities of computing assets in a customer network are received at a vulnerability intelligence platform. Breach data indicating set of breaches that occurred outside customer network is also received. A subset of the set of vulnerabilities that are most vulnerable to a breach is identified based on the breach data. In another technique, multiple vulnerabilities of a computing asset are determined. A risk score is generated for the computing asset based on the vulnerabilities. In another technique, multiple remediations associated with a risk score and multiple vulnerabilities are identified. The remediations are ordered based on the remediations that would reduce the risk score the most if those remediations were applied to remove the corresponding vulnerabilities.

Description

    PRIORITY AND CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application claims benefit under 35 U.S.C. § 120 as a Continuation of application Ser. No. 14/941,927 filed Nov. 16, 2015, which is a continuation of Ser. No. 14/642,620 filed Mar. 9, 2015; now U.S. Pat. No. 9,270,695 issued Feb. 23, 2016; which is a continuation of Ser. No. 14/181,415, filed on Feb. 14, 2014, now U.S. Pat. No. 8,984,643 issued Mar. 17, 2015, which is related to U.S. patent application Ser. No. 14/181,352 filed Feb. 14, 2014; and U.S. patent application Ser. No. 14/181,382 filed Feb. 14, 2014, now U.S. Pat. No. 8,966,639 issued February 24, the entire contents of each of which are hereby incorporated by reference for all purposes as if fully set forth herein.
  • TECHNICAL FIELD
  • The present disclosure generally relates to providing information technology (IT) security risk information. The disclosure relates more specifically to techniques for correlating IT security risks from various security risk sources.
  • BACKGROUND
  • The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
  • The number of attacks on various IT assets of an enterprise has increased tremendously. The rise in attacks has led to creation and adoption of numerous tools to perform IT security vulnerability assessments. Each security vulnerability assessment tool tends to differ from other security vulnerability assessment tools in that each tool provides one or two features that other security vulnerability assessment tools do not provide. Therefore, it is quite common for an enterprise to use a plurality of security vulnerability assessment tools in assessing security vulnerabilities of their IT assets. In addition, many enterprises also hire third party auditors to audit the enterprise's IT assets. In fact, certain industries, such as the financial services healthcare industries, are required to have their IT assets periodically audited by third party IT auditors.
  • The result of using numerous tools and auditing firms to assess vulnerabilities of IT assets is the generation of large amount of data. Once the tools and the auditing firms produce the vulnerability data, the enterprise's IT security team must use the data to reduce each IT asset's risk of being successfully attacked. Unfortunately, the data generated by the tools and the auditors fail to provide the enterprise's IT security team with the necessary information to efficiently and effectively prioritize their task of reducing security risk to the enterprise's IT assets.
  • Therefore, more often than not, the enterprise's IT security team spends additional resources and incurs further costs in analyzing the data generated by the security vulnerability assessment tools and IT auditors in order to distinguish between the more critical IT security risks and the less critical ones. Furthermore, due to the inherent inaccuracy and inherent lack of information regarding the likelihood of a successful attack on an IT asset in the generated data, the enterprise's IT security team's further efforts fail to satisfactorily defend against the most likely and potentially successful attacks on the enterprise's IT assets. This problem is further exacerbated as the number of IT assets utilized by an enterprise grows at a rapid pace because the amount of vulnerability data generated by numerous security vulnerability tools and IT auditors would consequently grow at a significantly faster pace.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • In the drawings:
  • FIG. 1 illustrates an example arrangement of providing customer with IT security risk information.
  • FIG. 2 illustrates functional logic of an embodiment as implemented in an application server coupled to a data storage unit.
  • FIG. 3 illustrates a method of identifying vulnerabilities based on breach data.
  • FIG. 4 illustrates an example arrangement of a graphical user interface for presenting risk information related to computing assets of a customer.
  • FIG. 5 illustrates a method of generating a risk score based on one or more vulnerabilities of a computing asset.
  • FIG. 6A-6B are block diagrams that depict an example arrangement of a graphical user interface of a dashboard.
  • FIG. 7 illustrates a method of prioritizing a set of remediations.
  • FIG. 8 illustrates a computer system upon which an embodiment may be implemented.
  • DESCRIPTION OF EXAMPLE EMBODIMENTS
  • In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure. It will be apparent, however, to one skilled in the art that the present disclosure may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to avoid unnecessarily obscuring the present disclosure.
  • Embodiments are described herein according to the following outline:
      • 1.0 Overview
      • 2.0 Structural and Functional Overview
      • 3.0 Correlating Vulnerability Data With Breach Data
      • 4.0 Risk Meter
      • 5.0 Remediation List
      • 6.0 Implementation Mechanisms—Hardware Overview
      • 7.0 Extensions and Alternatives
  • 1.0 Overview
  • In an embodiment, a method is described for identifying vulnerabilities that are most vulnerable to a breach. In an embodiment, vulnerability data that indicates a set of vulnerabilities of computing assets in a customer network are received at, for example, an application server. Breach data that indicates a set of breaches that occurred outside the customer network are received at the application server. A subset of the set of vulnerabilities that are most vulnerable to the breach are identified, based on the breach data. Result data that identifies the subset of the set of vulnerabilities that are most vulnerable to a breach is displayed on the device.
  • In an embodiment, a plurality of vulnerabilities of a computing asset are determined. A risk score for the computing asset is generated based on the plurality of vulnerabilities. A graphic that represents the risk score may be displayed and, in response to user selection, cause information about a subset of the vulnerabilities to be displayed.
  • In an embodiment, a set of remediations associated with a risk score and a set of vulnerabilities are identified. A remediation may be any solution to resolve a vulnerability of a computing asset. An amount by which the risk score would be reduced is determined for each remediation in the set of remediations, if the remediation is applied to a corresponding vulnerability in the set of vulnerabilities. The set of remediations are ordered based on the amount determined for each remediation in the set of remediations.
  • Embodiments encompass a data processing system, a computer apparatus, or a computer-readable medium configured to carry out the foregoing steps.
  • 2.0 Structural and Functional Overview
  • Certain embodiments are configured to help reduce or eliminate costs associated with vulnerability data that fail to provide information regarding the likelihood of a successful attack on a computing asset. As described herein, a computing asset may be any technology that enables or performs computations, such as, a programming language, source code, a software application, a database, an operating system, a desktop computer, a server, or a hardware computing or communication device.
  • In an embodiment, by utilizing breach data, sourced from across the internet, and correlating that data with vulnerabilities discovered in computing assets in a customer network, vulnerability data of an enterprise's IT security team may be generated that includes information regarding the likelihood that an exploit of a particular vulnerability of a particular asset will be successful.
  • For purposes of illustrating a clear example, assume that a business organization owns numerous computing assets and uses several security vulnerability assessment tools to detect vulnerabilities in the computing assets. Additionally, the computing assets are periodically audited by IT auditors. The data gathered and presented by the assessment tools and the IT auditors may inform the business organization of the vulnerabilities of their computing assets; however, the business organization has no information upon which it can rely on to effectively and efficiently determine which of the vulnerabilities pose the most significant threat to the organization and address the vulnerabilities accordingly. Therefore, the business organization must still expend additional time and financial and human resources in determining the vulnerabilities that are most likely to allow for a breach of a computing asset to occur. In order to accurately prioritize their approach to reducing risks to the assets the business organization must still be able to determine information about the risks to an asset rather than just information about vulnerabilities, and in order to effective and efficiently resolve vulnerabilities of computing assets, it would be a tremendous asset to have an ordered list of remediations where the first remediation will successfully reduce the risk of a computing asset the most.
  • In an embodiment, a vulnerability threat management platform requests data about breaches, exploits, vulnerabilities of computing assets from various data sources such as Alien Vault's Open Threat Exchange, RiskDB, the National Vulnerability Database, the Web Applications Security Consortium (WASC), the Exploit Database, SHODAN, and the Metasploit Project. As referred to herein, a breach is a successful exploit. That is, a breach is a successful attack on a computing asset by successfully exploiting a vulnerability of the computing asset.
  • The vulnerability threat management platform may also request or be provided with data from one or more customers, comprising of information of vulnerabilities associated with each customer's computing assets. The vulnerability threat management platform may then, for each customer, correlate each vulnerability of the customer's computing asset to all breaches of the vulnerability. For each customer, the vulnerability threat management platform may then provide a ranked or ordered list of vulnerabilities which represent the order in which the vulnerabilities should be addressed, such that the vulnerability that poses the most significant threat is addressed first and the one that poses the least significant threat is addressed last.
  • In some embodiments, the vulnerability threat management platform may provide a quantified measure, known as a risk score herein, to indicate how vulnerable a particular asset may be of being successfully exploited or breached. The risk score may be a numerical value in a range of numerical values. For example, the risk score may represent a value between 0 and 1000, where the higher the number, the more at risk that particular computing asset or group of assets is of being successfully exploited or breached.
  • A risk score for a vulnerability or a computing asset may not only be based on a likelihood of a breach occurring with respect to that vulnerability or asset, but also based on how important the impact of a vulnerability exploit or asset is. For example, a computing asset may have two vulnerabilities, each of which have the same likelihood of being breached. However, one of the two vulnerabilities, if breached, results in sensitive financial information being accessible to unscrupulous users while the other vulnerability, if breached, results in the ability by unscrupulous users to merely post an innocuous message.
  • The vulnerability threat management platform may provide a risk score for each computing asset and/or a group of computing assets.
  • In some embodiments, the risk score may be determined by considering all vulnerabilities a particular asset may have. Thus, rather than simply having information about a list of vulnerabilities, the customer has an ordered list of at-risk computing assets such that the customer may now easily know which computing asset or vulnerability the customer should attempt to address first.
  • In some embodiments, the Vulnerability threat management platform also provides an ordered list of remediations, which can be used to resolve one or more vulnerabilities of one or more computing assets. For example, a particular computing asset may have a number of vulnerabilities, and a particular remediation may address one or more of the vulnerabilities of computing asset. The application of the remediation will reduce the computing asset's risk score, where application or utilization of the first remediation on the list will most significantly reduce the risk score of the asset, and application or utilization of the last remediation on the list will least significantly reduce the risk score of the asset. Thus, the customer may now completely eliminate the additional costs associated with searching for a solution for a particular vulnerability and/or determining which of the available solutions will most significantly reduce the computing asset's risk score.
  • The foregoing approaches, structures and functions are described further herein in connection with FIG. 1 and the other drawings. A data storage unit, in this context, may be any electronic digital data recording device configured to store data according to a set of rules and in any format, such as a flat file, a database, a data mart, a data warehouse or other storage units. A data source, in this context, may be any electronic digital data storage unit capable of providing data to a requesting entity at a frequency of a particular time interval or on-demand.
  • FIG. 1 illustrates an example arrangement of assessing one or more computing assets' risk of being breached using external threat data and vulnerabilities of the one or more computing assets. As described herein, threat data may refer to any information related to security or risks posed by one or more vulnerabilities of a computing asset.
  • FIG. 1 depicts a networked computer system that includes a vulnerability threat management platform 115, a plurality of data sources 101, 102, 103, a data storage unit 112, and a plurality of customers 104 a, 104 b, 104 c.
  • In this example, data sources 101, 102, 103 publish or provide particular threat-related data. Sources 101-103 may publish the thread-related data at a particular time interval. For instance, data source 101 may publish or provide vulnerability related data 106 every hour, data source 102 may publish or provide exploit related data 107 every half hour, and data source 103 may also publish or provide breach related data 108 every 45 minutes. Thus, the frequency at which data sources 101, 102, 103 publish or provide information may be independent of each other.
  • In some embodiments, vulnerability threat management platform 115 requests data 106, 107, 108 at the particular time intervals that they become available. In some embodiments, data sources 101, 102, 103 may directly send data 106, 107, 108, respectively, to vulnerability threat management platform 115 at the time such data becomes available.
  • Customers 104 a, 104 b, 104 c provide, to vulnerability threat management platform 115, vulnerability data that indicates vulnerabilities of their computing assets, 109, 110, 111, respectively. Additionally, customers 104 a, 104 b, 104 c, may provide contextual information related to a particular computing asset, such as a relative importance of the particular computing asset. For example, one particular computing asset of a customer may be absolutely critical for the customer to carry out its day-to-day operations. Therefore, the customer may indicate that the particular computing asset is the most important of its computing assets. As another example, all computing assets that a customer “tags” as important may be considered equally important while all other non-tagged computing assets may be treated as equally less important (at least relative to the tagged assets).
  • In an embodiment, vulnerability threat management platform 115 is hosted by a customer and, thus, interaction with other customers 104 a-104 c is not necessary. In other words, vulnerability data 109-111 may not be relevant since the customer may implement Vulnerability threat management platform 115 only for its own benefit.
  • In an embodiment, vulnerability threat management platform 115 is hosted on an application server computer capable of executing procedures, such as programs, routines, scripts or other computer executable commands, necessary for supporting the vulnerability intelligence platform. An example of a Vulnerability threat management platform is Vulnerability Threat Monitoring and Prioritization Platform, commercially available from Risk I/O, Incorporated, Chicago, Ill. In FIG. 1 Vulnerability threat management platform 115 is coupled with data storage unit 112. In some embodiments, data storage unit 112 may store contextual information related to customers using Vulnerability threat management platform 115.
  • FIG. 2 illustrates functional logic of an embodiment of a vulnerability threat management platform implemented on an application server computer coupled with a data storage unit. In an embodiment, the application server computer comprises of at least one instance of vulnerability threat management platform 115. Vulnerability threat management platform 115 may include or may be coupled to an HTTP server and may be configured to serve HTML documents that browser programs at the customers 104 a-104 c can receive, render, and display.
  • In an embodiment, vulnerability threat management platform 115 includes a threat data unit 201. In an embodiment, threat data unit 201 may be coupled to the data storage unit 112. Threat data unit 201 receives vulnerability data 106, exploit data 107, and breach data 108 and stores them in storage unit 112. In an embodiment, vulnerability, exploit, and breach data received at threat data unit 201 may be stored in storage unit 112 according to vulnerability identifier, such as a CVE-ID or a WASC ID. In an embodiment, threat data unit 201 may be configured to fetch data from various vulnerability, exploit and breach data sources at a defined time interval. The time interval defined to fetch data may depend upon the frequency at which the data sources make the data available. For example, if a vulnerability, exploit, and breach data sources make data available at every hour, forty five minutes, and thirty minutes respectively, then vulnerability and breach data unit 201 may be configured to fetch data from vulnerability data source every hour, exploit data source every forty five minutes, and breach data source at every thirty minutes.
  • In an embodiment, vulnerability threat management platform 115 includes a customer data unit 202. Customer data unit 202 is configured to receive vulnerability data 109, 110, 111, from customers. In an embodiment, customer data unit 202 may be coupled to storage unit 112 and may be configured to store vulnerability data received from customers in storage unit 112. Customer data unit 202 may also be configured to receive data related to customer preferences and store that data in storage unit 112. For example, customers may send data related to importance of one computing asset relative to other computing assets, or information related to grouping of particular computing assets.
  • In an embodiment, vulnerability threat management platform 115 includes a risk assessment unit 203. Risk assessment unit 203 may be coupled to threat data unit 201, customer data unit 202, contextual data unit 204, display unit 205, and storage unit 112. Risk assessment unit 203 may be configured to determine rank or order of vulnerabilities of customer's computing assets or group of computing assets. Risk assessment unit 203 may also be configured to determine a risk score for a computing asset or group of computing assets, and may also be configured to determine a ranked or ordered list of remediations for a computing asset or a group of computing assets.
  • In an embodiment, risk assessment unit 203 ranks or orders a list of vulnerabilities of a computing asset based on successful active breaches of the particular vulnerability. Risk assessment unit 203 may determine the number successful active breaches of a particular vulnerability based on the breach data 108 stored in storage unit 112. In an embodiment, risk assessment unit 203 ranks or orders the list of vulnerabilities based on the number of exploits available for each vulnerability in addition to a number of active breaches of a particular vulnerability. In an embodiment, risk assessment unit 203 determines the number of exploits based on exploit data 107. Risk assessment unit 203 may also rank or order the list of vulnerabilities based on the CVSS score of a vulnerability in addition to the number of breaches of a particular vulnerability.
  • Risk assessment unit 203 may store the ranked or ordered list of vulnerabilities in storage unit 112.
  • Risk assessment unit 203 may also determine a risk score for a computing asset or a group of computing assets based on the contextual data, of the computing asset or group of computing assets, provided from contextual data unit 204.
  • In an embodiment, contextual data unit 204 selects contextual factors relevant to the computing asset and/or the customer that owns the computing asset from storage unit 112 and provides the contextual factors to risk assessment unit 203. In an embodiment, risk assessment unit 203 stores the risk score in storage unit 112. Using contextual factors from contextual data unit 204, risk assessment unit 203 adjusts the risk score of a computing asset or a group of computing assets such that the risk score reflects qualitative factors, such as importance of a computing asset (or group of computing assets) to the customer, or a computing asset's popularity across the Internet.
  • In an embodiment, risk assessment unit 203 ranks or orders a list of remediations to address the vulnerabilities of a computing asset or a group of computing assets. Risk assessment unit 203 determines the rank or order of the list of remediations for vulnerabilities based on the impact of each particular remediation on a risk score of a computing asset or a group of computing assets. Risk assessment unit 203 may store the ranked or ordered list of remediations in storage unit 112.
  • In an embodiment, risk assessment unit 203 determines the impact of a particular remediation on a risk score based on the number of vulnerabilities the particular remediation resolves. Risk assessment unit 203 may also rank or order a list of remediations based on ease of implementation or application of a particular remediation. Therefore, a customer that is presented with the list of remediations may be confident to rely on the list for the easiest remediations that have the largest impact on reducing the risk posed by vulnerabilities of a computing asset.
  • In an embodiment, after ranking or ordering vulnerabilities, a list of remediations, and/or determining one or more risk scores, risk assessment unit 203 provides such data to display unit 205. Display unit 205 may be configured to cause data 120-122 to be displayed to customers. In an embodiment, display unit 205 alters its presentation of data to customers from a default presentation, based on customer preferences for data presentation.
  • As noted previously, vulnerability threat management platform 115 may be implemented by a customer only for its benefit. Thus, there would be no other customers 104 a-104 c involved. Furthermore, result data 120-122 would not be generated for any other customers.
  • 3.0 Correlating Vulnerability Data with Breach Data
  • Vulnerability threat management platform 115 analyzes the vulnerability data of computing assets of customers 104 a-104 c, against threat data from various sources, such as data sources 101-103, and provides result data 120-122 to customers 104 a-104 c, respectively. Result data 120-122 includes information related to risks that the corresponding customer faces because of the vulnerabilities of the corresponding customer's computing assets. The result data may identify one or more of the most important vulnerabilities of a customer (based on breach data associated with the vulnerabilities). For example, the top five vulnerabilities with the highest number of breaches (or the vulnerabilities that are associated with at least a threshold number of breaches) in a most recent time interval are identified and information about those vulnerabilities are provided in the result data. Result data for a particular customer may be provided automatically to that customer or may be provided to the customer upon request.
  • In an embodiment, the information related to risks posed by the vulnerabilities may be presented as a ranked or ordered list of vulnerabilities, where the first vulnerability on the ranked or ordered list indicates the vulnerability that will most likely be exploited. In an embodiment, vulnerability threat management platform 115 ranks or orders the list of vulnerabilities based off the number of breaches of a particular vulnerability. For example, the number of breaches of vulnerability CVE-2014-0001 is 5 and number of breaches of vulnerability CVE-2014-0002 is 7. Vulnerability threat management platform 115 may determine that CVE-2014-0002 is more likely to be exploited and rank CVE-2014-0002 higher than CVE-2014-0001.
  • As described earlier, a breach is a successful exploit. Relying upon breach data to determine and predict the vulnerability that is most likely to be exploited, and thus pose the most serious risk to the computing asset, is more accurate and reliable than relying upon threat data comprising only of existing exploits of a vulnerability or a Common Vulnerability Scoring System (CVSS) score of a vulnerability. Additionally, reliance only upon existence of an exploit of a vulnerability and/or CVSS score of vulnerability, often provides incomplete and thus misleading information about the significance of the risk posed by the vulnerability to the computing asset. For example, it is possible to have a vulnerability with a high CVSS score, indicating that it is a critical vulnerability. However, no recent successful exploits, or breaches, of the vulnerability may have occurred. Therefore, while the vulnerability may be critical according to its CVSS score, it does not pose a significant threat to the computing asset since it is unlikely to be breached.
  • In an embodiment, vulnerability threat management platform 115 rank or orders the list of vulnerabilities based on a number of exploits available for each vulnerability in addition to a number of breaches of each vulnerability. In an embodiment, exploit data 107 includes a vulnerability identifier to indicate a particular vulnerability and a number of exploits for each vulnerability. Vulnerability threat management platform 115 may determine the number of exploits for each vulnerability based on the vulnerability identifier. Vulnerability threat management platform 115 may also rank or order the list of vulnerabilities based on the CVSS score of a vulnerability in addition to the number of breaches of a particular vulnerability.
  • Furthermore, since vulnerability threat management platform 115 may either fetch breach data at a particular time interval or receive breach data at a particular time interval, vulnerability threat management platform 115 may periodically analyze vulnerabilities of each customer against the freshly fetched or received breach data. In an embodiment, a customer's vulnerabilities may be analyzed in a similar frequency as the frequency at which breach data is fetched or received, thereby providing, in near real-time, reassessment of the customer's vulnerabilities.
  • FIG. 3 illustrates an example method for identifying a subset of vulnerabilities from a set of vulnerabilities that are most vulnerable to a breach based on breach data. In an embodiment, the operations described for FIG. 3 may be performed by vulnerability threat management platform 115 of FIG. 1 or FIG. 2, but other embodiments may implement the same functions in other contexts using other computing devices.
  • In step 310, vulnerability data that indicates a set of vulnerabilities of computing assets in a customer network is received from a first source. In an embodiment, the first source may be a customer. In an embodiment, the vulnerability data received from the first source may include, for each vulnerability, the vulnerability identifier, such as a CVE-ID or WASC ID.
  • In step 320, breach data that indicates a set of breaches that occurred outside of the customer network is received from a second source. Breach data may indicate a frequency with which each breach in the set of breaches occurred outside the customer network. For example, for vulnerability V1, the breach data may indicate 89 in the last 30 minutes while for vulnerability V2, the breach data may indicate 23 in the last 30 minutes. In some embodiments, the second source may be an external data source that provides a breach data feed at a periodic time interval. In some embodiments breach data may be received from more than one source, where the other sources are different from the first or second sources.
  • In step 330, a subset of the set vulnerabilities that are most vulnerable to a breach are identified based on the breach data received. In an embodiment, the identification of the subset of vulnerabilities that are most vulnerable to a breach is based on matching vulnerability identifiers of the set of vulnerabilities with vulnerability identifiers in the breach data. In an embodiment, the identified subset of vulnerabilities is ranked based on the number of times a vulnerability in the subset of vulnerabilities has been breached. In an embodiment, a subset of the set vulnerabilities that are most vulnerable to a breach are identified based on the breach data received and the number of exploits available for each vulnerability indicated in the exploit data received. In an embodiment, a subset of the set vulnerabilities that are most vulnerable to a breach are identified based on the breach data received and the CVSS score of a vulnerability included in the vulnerability data received.
  • In step 340, result data that identifies the subset of vulnerabilities is caused to be displayed on the screen of a computing device. In an embodiment, the subset of vulnerabilities that are displayed on the screen of a computing device is a ranked or ordered subset of vulnerabilities. In an embodiment, each computing asset of the computing assets in the customers network is one of a database, an operating system, an application, a desktop computer, a mobile computer, a server, or source code.
  • 4.0 Risk Score
  • In an embodiment, the information related to risks posed by the vulnerabilities may be presented as a risk score. As described previously, a risk score may be a numerical value in a range of numerical values, such as between 0 and 1000, and indicates how vulnerable a particular asset may be of being successfully exploited or breached.
  • In an embodiment, vulnerability threat management platform 115 determines a risk score based upon several contextual factors, including, but not limited to, a number of active breaches of each of the vulnerabilities of the computing asset, the prevalence (or number) of available exploits for each vulnerability, popularity of the computing asset or how widely the computing asset is used in the customer's industry or across all industries, difficulty of exploiting the vulnerability, and importance of the computing asset to the customer.
  • In some embodiments, the risk score of a computing asset may reflect the risk posed by the most vulnerable vulnerability of the computing asset's vulnerabilities. In other words, the vulnerability that is most likely at risk of being successfully exploited or breached may represent the risk score of the computing asset instead of simply being, for example, an average of multiple risk scores associated with vulnerabilities of the computing asset.
  • The risk score of a computing asset may be provided to a customer upon receiving a request from the customer for a risk score of the computing asset. In some embodiments, the risk score of a computing asset may be forwarded to the customer once analysis of the computing asset's vulnerabilities is completed and the computing asset's risk score is determined.
  • In an embodiment, vulnerability threat management platform 115 provides a risk score for a computing asset or a group of computing assets. Vulnerability threat management platform 115 may determine multiple computing assets to be grouped based on customer input. For example, some of the computing assets of a financial services company are responsible for maintaining and storing sensitive personal information of customers of the financial services company. Determining the risk of these computing assets being breached may be very important to the financial services company or even required of the financial services company. Therefore, the financial services company may request a risk assessment of a group comprising of the particular assets responsible for maintaining and storing sensitive personal information. Vulnerability threat management platform 115 may then provide a risk score representing the group's risk of being breached.
  • There is no limit on the manner in which computing assets may be grouped together. For example, computing assets may be grouped together based on geographical location of computing assets, on the type of computing assets, on the subnet of computing assets, or on input from a customer (e.g., 104 a).
  • In some embodiments, the risk score of a group of computing assets may be an average of the risk scores of the computing assets. In some embodiments, the risk score of a group of computing assets may be determined using a more complex method than an average of risk scores. Alternatively, a risk score of a group of computing assets may be the highest risk score of any individual computing asset in the group of computing assets.
  • Vulnerability threat management platform 115 may also store information enabling a future grouping of the particular assets indicated in storage unit 112 such that vulnerability threat management platform 115 may retrieve the information in order to group the particular assets and determine a risk score the next time the customer requests for a risk assessment of the group of computing assets.
  • In some embodiments, a range of colors may also be presented, in addition to the risk score, to indicate the criticality of the risk score to the customer. For example, if the risk score indicates that the particular computing asset is at a high risk of being breached, then the risk score may be encompassed within a ring of red color or the risk score itself may be presented in red color or it may be a combination of both, a ring of red color encompassing a risk score in red color. A particular color may represent a range of risk scores such that it may present a visual cue to the seriousness of the risk. For example, green may be used to present a low level of risk, yellow may be used to present a medium level of risk and red may be used to present a high level of risk. There may be more or less risk score ranges than the three described herein.
  • FIG. 4 illustrates an example arrangement of a graphical user interface for presenting risk information related to computing assets of a customer. In an embodiment, color ring 401 displays a color that corresponds to a criticality of a risk score 402. In some embodiments, color ring 401 may be filled with color in proportion to risk score 402. For example, in FIG. 4, risk score of the ten assets is 290 out of 1000, therefore only 29 percent of color ring 401 is filled with a particular color. As described above, colors may be predefined to represent certain risk score ranges. In FIG. 4, green has been predefined to represent a risk score of at least 290. In an embodiment, risk score 402 is also presented in the color reflecting its criticality. A combined graphical representation of color ring 401 and risk score 402 is referred to as a “risk meter.”
  • In an embodiment, button 403 represents a list of ordered or ranked remediations that may be presented upon user clicking button 403. In some embodiments, the list of ordered or ranked remediations may be presented upon hovering over button 403.
  • Dropdown list 404 may be used to present asset groups described above. In an embodiment, dropdown list 404 may be used to view and switch between different asset groups in a fast and efficient manner to make it easy for customers to manager a large number of asset groups without wasting time searching for different assets.
  • In an embodiment, grid 405 may be used to present asset information. Within grid 405, each asset may be presented in a separate row along with certain attributes of the asset indicated in columns of grid 405, such as number of vulnerabilities of the asset, priority value of the asset, the location of asset over the internet, operating system(s) of the asset, one or more tags associated with the asset, and a creation date of the asset or vulnerability. In some embodiments, grid 405 may be interactive such that a user may apply changes to grid 405 and risk score 402 reflects the changes. For example, a user may change priority value of a particular asset, causing risk score 402 to be adjusted according to the newly given importance to the particular asset.
  • FIG. 5 depicts an example process for determining a risk score for one or more computing assets. In an embodiment, the steps indicated in FIG. 5 may be performed by vulnerability threat management platform 115 of FIG. 1, FIG. 2, but other embodiments may implement the same functions in other contexts using other computing devices.
  • At block 510, a plurality of vulnerabilities of a computing asset are determined. Vulnerabilities of the computing asset may be based on vulnerability data provided by a customer.
  • In step 520, a risk score for the computing asset is generated based on the plurality of vulnerabilities. In an embodiment, the risk score for the computing asset may also be based on certain contextual factors such as importance of the asset to the customer.
  • While FIG. 5 depicts a process where a risk score is generated for a single computing asset, as noted previously, a risk score may be generated for a set of two or more computing assets. A risk score for more than one computing asset may be based on vulnerabilities of each computing asset in the set of computing assets. For example, assets A1 and A2 each have a single vulnerability: V1 for A1 and V2 for A2. A risk score is generated for the set that includes A1 and A2 based on V1 and V2. Thus, a risk score may be generated for a set of two or more computing assets based on a single vulnerability for each computing asset in the set.
  • In an embodiment, a risk score of a set of computing assets may be displayed on a screen of computing device. An input that selects the risk score may be received and in response to receiving the input that selects the risk score, data that indicates each computing asset in the set of computing assets is displayed on screen. In an embodiment, the data that indicates each computing asset may include a risk score for the computing asset, vulnerabilities of the computing asset, and/or list of remediations to resolve the vulnerabilities of the computing asset. In an embodiment, a set of computing assets may be grouped based on geographical location of the computing assets in the set, the type of computing assets, the subnet of the computing assets, or customer input.
  • In some embodiments, the risk scores of different computing assets or groups of computing assets may be displayed concurrently, referred to herein as a dashboard, to the customer. In some embodiments, vulnerability threat management platform 115 presents risk scores of computing assets to a customer in a manner that enables the customer to drill down into a group of computing assets and determine the risk score for each computing asset of the group of computing assets. Therefore, the customer is able to view a risk score for the particular computing asset without having to request a risk assessment for the particular computing asset, nor would the customer have to search the rest of the dashboard for the particular computing asset.
  • FIG. 6A-6B are block diagrams that depict an example arrangement of a graphical user interface of a dashboard. In FIG. 6A, a dashboard displays various risk meters 610-640, where each risk meter includes risk information related to a particular computing asset group of a customer. For example, risk meter 610 corresponds to desktops in a customer's network while risk meter 630 corresponds to assets involved in the customer's ecommerce website.
  • In an embodiment, the dashboard may be presented in a grid form as depicted in FIGS. 6A-6B. Risk meters may be presented in such a manner such that clicking or hovering over a risk meter may display computing assets represented by the risk meter. For example, user selection of risk meter 610 may cause the dashboard depicted in FIG. 6B to be displayed, including group data 612. Group data 612 indicates a number of assets in the “Desktops” group, a number of vulnerabilities in that group, a number of vulnerabilities in the group that are considered “Top Priority” (according to some specified criteria), a number of active Internet breaches associated with vulnerabilities in the group, an number of “easily” exploitable vulnerabilities in the group, and a number of popular targets (indicating which vulnerabilities have been the target of the most breaches) in the group.
  • The dashboards represented in FIGS. 6A-6B also include total aggregate information, such as the total number of vulnerabilities in a customer network (74,005), the total number of “closed vulnerabilities” (9,751) (which are fixed or remediated vulnerabilities, the total number of assets in the customer network, and a vulnerability density (3,143), which may represent the average number of vulnerabilities per asset group or the median number of vulnerabilities across the asset groups.
  • The dashboards represented in FIGS. 6A-6B may also be fully customizable, such as customizing which asset groups are displayed first or at the top of a view, what information is displayed when a risk meter is selected, and alert information indicating whether an audio alert, visual alert, or message alert (e.g., text, IM) should be sent when a risk score for a risk meter exceeds a certain threshold and/or when multiple risk scores exceed a particular threshold.
  • 5.0 Remediation List
  • In an embodiment, vulnerability threat management platform 115 provides an ordered or ranked list of remediations applicable to the computing asset. In an embodiment, vulnerability threat management platform 115 analyzes vulnerability data 109, 110, 111, sent by customers 104 a, 104 b, 104 c, respectively, and selects remediations based on mappings of vulnerabilities and remediations. In some embodiments, a remediation may be mapped to one or more vulnerabilities. The list of remediations will be ordered or ranked according to the impact on the overall risk score of a computing asset or a group of computing assets.
  • In an embodiment, the ranking or ordering of list remediations may also be based on ease of implementation or application (e.g., in terms of time and/or work required by the customer) of a remediation, where remediations that are easier to implement or apply are preferred over remediations that are more difficult to implement or apply. For example, remediation R1 takes about ten minutes to apply and remediation R2 takes about nine hours to apply. R1 may be ranked higher than R2 even if R1 has a slightly higher impact on the risk score than the impact of R2 has on the risk score.
  • In an embodiment, mappings of vulnerabilities and remediations may be stored in storage unit 112. In an embodiment, vulnerability threat management platform 115 presents the list of remediations concurrently with ranked or ordered list of vulnerabilities of a computing asset or group of computing assets, or risk score of a computing asset or a group of computing assets, or both.
  • FIG. 7 illustrates an example method for determining a set of remediations for one or more vulnerabilities of a computing asset. In an embodiment, the example method may be performed by vulnerability threat management platform 115 of FIG. 1 or FIG. 2, but other embodiments may implement the same functions in other contexts using other computing devices.
  • At block 710, a set of remediations associated with a set of vulnerabilities is identified. In an embodiment, the remediations may be identified based on the identifiers of each vulnerability in the set of vulnerabilities. The set of remediations may come from one of customers 104 a-104 c, one of sources 101-103, and/or another source, not depicted.
  • At block 720, for each remediation in the set of remediations, an amount that the risk score would be reduced if said each remediation is applied to a corresponding vulnerability in the set of vulnerabilities is determined.
  • At block 730, the set of remediations is ordered based on the amount the risk score is reduced by each remediation in the set of remediations. In an embodiment, the set of remediations may also be ordered by ease of implementation of each remediation.
  • In an embodiment, a customer is allowed to select a remediation to be applied to its corresponding vulnerability. Once applied and the vulnerability is removed, the set of remediations is updated to remove the selected remediation. Afterwards, an updated risk score may be generated based on the updated set of remediations. Also, blocks 520 and 530 may be performed again for the updated set of remediations and based on the updated risk score.
  • The embodiments described herein may enable for an assessment of risk associated with a computing asset and provide an effective and efficient manner in reducing the risk posed by one or more vulnerabilities of a computing asset or a group of computing assets.
  • 6.0 Implementation Mechanisms—Hardware Overview
  • According to one embodiment, the techniques described herein are implemented by one or more special-purpose computing devices. The special-purpose computing devices may be hard-wired to perform the techniques, or may include digital electronic devices such as one or more application-specific integrated circuits (ASICs) or field programmable gate arrays (FPGAs) that are persistently programmed to perform the techniques, or may include one or more general purpose hardware processors programmed to perform the techniques pursuant to program instructions in firmware, memory, other storage, or a combination. Such special-purpose computing devices may also combine custom hard-wired logic, ASICs, or FPGAs with custom programming to accomplish the techniques. The special-purpose computing devices may be desktop computer systems, portable computer systems, handheld devices, networking devices or any other device that incorporates hard-wired and/or program logic to implement the techniques.
  • For example, FIG. 8 is a block diagram that illustrates a computer system 800 upon which an embodiment of the invention may be implemented. Computer system 800 includes a bus 802 or other communication mechanism for communicating information, and a hardware processor 804 coupled with bus 802 for processing information. Hardware processor 804 may be, for example, a general purpose microprocessor.
  • Computer system 800 also includes a main memory 806, such as a random access memory (RAM) or other dynamic storage device, coupled to bus 802 for storing information and instructions to be executed by processor 804. Main memory 806 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 804. Such instructions, when stored in non-transitory storage media accessible to processor 804, render computer system 800 into a special-purpose machine that is customized to perform the operations specified in the instructions.
  • Computer system 800 further includes a read only memory (ROM) 808 or other static storage device coupled to bus 802 for storing static information and instructions for processor 804. A storage device 810, such as a magnetic disk, optical disk, or solid-state drive is provided and coupled to bus 802 for storing information and instructions.
  • Computer system 800 may be coupled via bus 802 to a display 812, such as a cathode ray tube (CRT), for displaying information to a computer user. An input device 814, including alphanumeric and other keys, is coupled to bus 802 for communicating information and command selections to processor 804. Another type of user input device is cursor control 816, such as a mouse, a trackball, or cursor direction keys for communicating direction information and command selections to processor 804 and for controlling cursor movement on display 812. This input device typically has two degrees of freedom in two axes, a first axis (e.g., x) and a second axis (e.g., y), that allows the device to specify positions in a plane.
  • Computer system 800 may implement the techniques described herein using customized hard-wired logic, one or more ASICs or FPGAs, firmware and/or program logic which in combination with the computer system causes or programs computer system 800 to be a special-purpose machine. According to one embodiment, the techniques herein are performed by computer system 800 in response to processor 804 executing one or more sequences of one or more instructions contained in main memory 806. Such instructions may be read into main memory 806 from another storage medium, such as storage device 810. Execution of the sequences of instructions contained in main memory 806 causes processor 804 to perform the process steps described herein. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions.
  • The term “storage media” as used herein refers to any non-transitory media that store data and/or instructions that cause a machine to operate in a specific fashion. Such storage media may comprise non-volatile media and/or volatile media. Non-volatile media includes, for example, optical disks, magnetic disks, or solid-state drives, such as storage device 810. Volatile media includes dynamic memory, such as main memory 806. Common forms of storage media include, for example, a floppy disk, a flexible disk, hard disk, solid-state drive, magnetic tape, or any other magnetic data storage medium, a CD-ROM, any other optical data storage medium, any physical medium with patterns of holes, a RAM, a PROM, and EPROM, a FLASH-EPROM, NVRAM, any other memory chip or cartridge.
  • Storage media is distinct from but may be used in conjunction with transmission media. Transmission media participates in transferring information between storage media. For example, transmission media includes coaxial cables, copper wire and fiber optics, including the wires that comprise bus 802. Transmission media can also take the form of acoustic or light waves, such as those generated during radio-wave and infra-red data communications.
  • Various forms of media may be involved in carrying one or more sequences of one or more instructions to processor 804 for execution. For example, the instructions may initially be carried on a magnetic disk or solid-state drive of a remote computer. The remote computer can load the instructions into its dynamic memory and send the instructions over a telephone line using a modem. A modem local to computer system 800 can receive the data on the telephone line and use an infra-red transmitter to convert the data to an infra-red signal. An infra-red detector can receive the data carried in the infra-red signal and appropriate circuitry can place the data on bus 802. Bus 802 carries the data to main memory 806, from which processor 804 retrieves and executes the instructions. The instructions received by main memory 806 may optionally be stored on storage device 810 either before or after execution by processor 804.
  • Computer system 800 also includes a communication interface 818 coupled to bus 802. Communication interface 818 provides a two-way data communication coupling to a network link 820 that is connected to a local network 822. For example, communication interface 818 may be an integrated services digital network (ISDN) card, cable modem, satellite modem, or a modem to provide a data communication connection to a corresponding type of telephone line. As another example, communication interface 818 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN. Wireless links may also be implemented. In any such implementation, communication interface 818 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.
  • Network link 820 typically provides data communication through one or more networks to other data devices. For example, network link 820 may provide a connection through local network 822 to a host computer 824 or to data equipment operated by an Internet Service Provider (ISP) 826. ISP 826 in turn provides data communication services through the world wide packet data communication network now commonly referred to as the “Internet” 828. Local network 822 and Internet 828 both use electrical, electromagnetic or optical signals that carry digital data streams. The signals through the various networks and the signals on network link 820 and through communication interface 818, which carry the digital data to and from computer system 800, are example forms of transmission media.
  • Computer system 800 can send messages and receive data, including program code, through the network(s), network link 820 and communication interface 818. In the Internet example, a server 830 might transmit a requested code for an application program through Internet 828, ISP 826, local network 822 and communication interface 818.
  • The received code may be executed by processor 804 as it is received, and/or stored in storage device 810, or other non-volatile storage for later execution.
  • 7.0 Extensions and Alternatives
  • In the foregoing specification, embodiments of the disclosure have been described with reference to numerous specific details that may vary from implementation to implementation. Thus, the sole and exclusive indicator of what is the disclosure, and is intended by the applicants to be the disclosure, is the set of claims that issue from this application, in the specific form in which such claims issue, including any subsequent correction. Any definitions expressly set forth herein for terms contained in such claims shall govern the meaning of such terms as used in the claims. Hence, no limitation, element, property, feature, advantage or attribute that is not expressly recited in a claim should limit the scope of such claim in any way. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense.

Claims (20)

What is claimed is:
1. A system comprising:
storage media;
one or more processors;
and one or more programs stored in the storage media and configured for execution by the one or more processors, the one or more programs comprising instructions for:
determining a first vulnerability and a second vulnerability of one or more computing assets;
obtaining breach data that indicates a successful exploit of the first vulnerability at one or more other computing assets;
based on the breach data, making a determination that the first vulnerability is more vulnerable to the successful exploit than the second vulnerability;
based on the determination, causing the first vulnerability to have a higher priority value than the second vulnerability.
2. The system of claim 1, wherein the one or more programs further comprise instructions for:
based on the higher priority value of the first vulnerability, applying a remediation to the first vulnerability before applying a remediation to the second vulnerability.
3. The system of claim 1, wherein at least one computing asset of the one or more computing assets is hardware.
4. The system of claim 1, wherein at least one computing asset of the one or more computing assets is software.
5. The system of claim 1, wherein the one or more programs further comprise instructions for:
obtaining exploit data indicating that the second vulnerability has a greater number of available exploits than the first vulnerability;
wherein causing the first vulnerability to have the higher priority value than the second vulnerability is also based on the exploit data.
6. The system of claim 1, wherein the one or more programs further comprise instructions for:
obtaining a Common Vulnerability Scoring System (CVSS) score of the first vulnerability;
wherein causing the first vulnerability to have the higher priority value than the second vulnerability is also based on the CVSS score.
7. The system of claim 1, wherein causing the first vulnerability to have the higher priority value than the second vulnerability comprises adjusting a risk score associated with the first vulnerability.
8. A method comprising:
determining a first vulnerability and a second vulnerability of one or more computing assets;
obtaining breach data that indicates a successful exploit of the first vulnerability at one or more other computing assets;
based on the breach data, making a determination that the first vulnerability is more vulnerable to the successful exploit than the second vulnerability;
based on the determination, causing the first vulnerability to have a higher priority value than the second vulnerability;
wherein the method is performed by one or more computing devices.
9. The method of claim 8, further comprising:
based on the higher priority value of the first vulnerability, applying a remediation to the first vulnerability before applying a remediation to the second vulnerability.
10. The method of claim 8, wherein at least one computing asset of the one or more computing assets is hardware.
11. The method of claim 8, wherein at least one computing asset of the one or more computing assets is software.
12. The method of claim 8, further comprising:
obtaining exploit data indicating that the second vulnerability has a greater number of available exploits than the first vulnerability;
wherein causing the first vulnerability to have the higher priority value than the second vulnerability is also based on the exploit data.
13. The method of claim 8, further comprising:
obtaining a Common Vulnerability Scoring System (CVSS) score of the first vulnerability;
wherein causing the first vulnerability to have the higher priority value than the second vulnerability is also based on the CVSS score.
14. The method of claim 8, wherein causing the first vulnerability to have the higher priority value than the second vulnerability comprises adjusting a risk score associated with the first vulnerability.
15. One or more non-transitory storage media storing one or more instructions which, when executed by one or more processors, cause:
determining a first vulnerability and a second vulnerability of one or more computing assets;
obtaining breach data that indicates a successful exploit of the first vulnerability at one or more other computing assets;
based on the breach data, making a determination that the first vulnerability is more vulnerable to the successful exploit than the second vulnerability;
based on the determination, causing the first vulnerability to have a higher priority value than the second vulnerability.
16. The one or more non-transitory storage media of claim 14, wherein the one or more instructions which, when executed by the one or more processors, further cause:
based on the higher priority value of the first vulnerability, applying a remediation to the first vulnerability before applying a remediation to the second vulnerability.
17. The one or more non-transitory storage media of claim 14, wherein at least one computing asset of the one or more computing assets is hardware.
18. The one or more non-transitory storage media of claim 14, wherein at least one computing asset of the one or more computing assets is software.
19. The one or more non-transitory storage media of claim 14, wherein the one or more instructions which, when executed by the one or more processors, further cause:
obtaining exploit data indicating that the second vulnerability has a greater number of available exploits than the first vulnerability;
wherein causing the first vulnerability to have the higher priority value than the second vulnerability is also based on the exploit data.
20. The one or more non-transitory storage media of claim 14, wherein the one or more instructions which, when executed by the one or more processors, further cause:
obtaining a Common Vulnerability Scoring System (CVSS) score of the first vulnerability;
wherein causing the first vulnerability to have the higher priority value than the second vulnerability is also based on the CVSS score.
US15/817,886 2014-02-14 2017-11-20 Ordered computer vulnerability remediation reporting Active US10305925B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/817,886 US10305925B2 (en) 2014-02-14 2017-11-20 Ordered computer vulnerability remediation reporting

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US14/181,415 US8984643B1 (en) 2014-02-14 2014-02-14 Ordered computer vulnerability remediation reporting
US14/642,620 US9270695B2 (en) 2014-02-14 2015-03-09 Identifying vulnerabilities of computing assets based on breach data
US14/941,927 US9825981B2 (en) 2014-02-14 2015-11-16 Ordered computer vulnerability remediation reporting
US15/817,886 US10305925B2 (en) 2014-02-14 2017-11-20 Ordered computer vulnerability remediation reporting

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US14/941,927 Continuation US9825981B2 (en) 2014-02-14 2015-11-16 Ordered computer vulnerability remediation reporting

Publications (2)

Publication Number Publication Date
US20180077193A1 true US20180077193A1 (en) 2018-03-15
US10305925B2 US10305925B2 (en) 2019-05-28

Family

ID=52632429

Family Applications (4)

Application Number Title Priority Date Filing Date
US14/181,415 Active US8984643B1 (en) 2014-02-14 2014-02-14 Ordered computer vulnerability remediation reporting
US14/642,620 Active US9270695B2 (en) 2014-02-14 2015-03-09 Identifying vulnerabilities of computing assets based on breach data
US14/941,927 Active US9825981B2 (en) 2014-02-14 2015-11-16 Ordered computer vulnerability remediation reporting
US15/817,886 Active US10305925B2 (en) 2014-02-14 2017-11-20 Ordered computer vulnerability remediation reporting

Family Applications Before (3)

Application Number Title Priority Date Filing Date
US14/181,415 Active US8984643B1 (en) 2014-02-14 2014-02-14 Ordered computer vulnerability remediation reporting
US14/642,620 Active US9270695B2 (en) 2014-02-14 2015-03-09 Identifying vulnerabilities of computing assets based on breach data
US14/941,927 Active US9825981B2 (en) 2014-02-14 2015-11-16 Ordered computer vulnerability remediation reporting

Country Status (1)

Country Link
US (4) US8984643B1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10298608B2 (en) * 2015-02-11 2019-05-21 Honeywell International Inc. Apparatus and method for tying cyber-security risk analysis to common risk methodologies and risk levels
CN113139191A (en) * 2021-03-25 2021-07-20 国网浙江省电力有限公司衢州供电公司 Statistical method for bug disposal repair priority
US20230019180A1 (en) * 2021-07-08 2023-01-19 Bugcrowd Inc. Automated Prediction Of Cybersecurity Vulnerabilities
US11741196B2 (en) 2018-11-15 2023-08-29 The Research Foundation For The State University Of New York Detecting and preventing exploits of software vulnerability using instruction tags

Families Citing this family (82)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8984643B1 (en) 2014-02-14 2015-03-17 Risk I/O, Inc. Ordered computer vulnerability remediation reporting
US9886581B2 (en) 2014-02-25 2018-02-06 Accenture Global Solutions Limited Automated intelligence graph construction and countermeasure deployment
US9503467B2 (en) 2014-05-22 2016-11-22 Accenture Global Services Limited Network anomaly detection
US9118714B1 (en) * 2014-07-23 2015-08-25 Lookingglass Cyber Solutions, Inc. Apparatuses, methods and systems for a cyber threat visualization and editing user interface
US10296412B2 (en) * 2014-08-08 2019-05-21 Plesk International Gmbh Processing run-time error messages and implementing security policies in web hosting
US9407645B2 (en) 2014-08-29 2016-08-02 Accenture Global Services Limited Security threat information analysis
US9716721B2 (en) 2014-08-29 2017-07-25 Accenture Global Services Limited Unstructured security threat information analysis
US10162969B2 (en) * 2014-09-10 2018-12-25 Honeywell International Inc. Dynamic quantification of cyber-security risks in a control system
EP3210364B8 (en) 2014-10-21 2021-03-10 Proofpoint, Inc. Systems and methods for application security analysis
EP4155984B1 (en) * 2014-10-31 2024-08-28 Proofpoint, Inc. Systems and methods for privately performing application security analysis
US9648036B2 (en) * 2014-12-29 2017-05-09 Palantir Technologies Inc. Systems for network risk assessment including processing of user access rights associated with a network of devices
US9594913B2 (en) * 2015-01-28 2017-03-14 Wal-Mart Stores, Inc. System, method, and non-transitory computer-readable storage media for analyzing software application modules and provide actionable intelligence on remediation efforts
US9923915B2 (en) 2015-06-02 2018-03-20 C3 Iot, Inc. Systems and methods for providing cybersecurity analysis based on operational technologies and information technologies
US10484257B1 (en) * 2015-07-15 2019-11-19 Amazon Technologies, Inc. Network event automatic remediation service
US9979743B2 (en) 2015-08-13 2018-05-22 Accenture Global Services Limited Computer asset vulnerabilities
US9886582B2 (en) 2015-08-31 2018-02-06 Accenture Global Sevices Limited Contextualization of threat data
US10031799B1 (en) * 2015-09-28 2018-07-24 Amazon Technologies, Inc. Auditor for automated tuning of impairment remediation
US9912686B2 (en) * 2016-02-18 2018-03-06 Tracker Networks Inc. Methods and systems for enhancing data security in a computer network
US10084809B1 (en) * 2016-05-06 2018-09-25 Wells Fargo Bank, N.A. Enterprise security measures
US20170339190A1 (en) * 2016-05-23 2017-11-23 Cisco Technology, Inc. Device-specific packet inspection plan
US10198597B2 (en) * 2016-05-27 2019-02-05 International Business Machines Corporation Managing mobile application security
US10536476B2 (en) 2016-07-21 2020-01-14 Sap Se Realtime triggering framework
US10372915B2 (en) * 2016-07-29 2019-08-06 Jpmorgan Chase Bank, N.A. Cybersecurity vulnerability management systems and method
US10482241B2 (en) 2016-08-24 2019-11-19 Sap Se Visualization of data distributed in multiple dimensions
US10542016B2 (en) * 2016-08-31 2020-01-21 Sap Se Location enrichment in enterprise threat detection
US10277620B2 (en) * 2016-09-08 2019-04-30 Corax Cyber Security, Inc. Determining an assessment of a security breach for an asset of a network infrastructure
US10673879B2 (en) 2016-09-23 2020-06-02 Sap Se Snapshot of a forensic investigation for enterprise threat detection
US10630705B2 (en) 2016-09-23 2020-04-21 Sap Se Real-time push API for log events in enterprise threat detection
US10235528B2 (en) * 2016-11-09 2019-03-19 International Business Machines Corporation Automated determination of vulnerability importance
US10534908B2 (en) 2016-12-06 2020-01-14 Sap Se Alerts based on entities in security information and event management products
US10530792B2 (en) 2016-12-15 2020-01-07 Sap Se Using frequency analysis in enterprise threat detection to detect intrusions in a computer system
US10534907B2 (en) 2016-12-15 2020-01-14 Sap Se Providing semantic connectivity between a java application server and enterprise threat detection system using a J2EE data
US10552605B2 (en) 2016-12-16 2020-02-04 Sap Se Anomaly detection in enterprise threat detection
US11470094B2 (en) 2016-12-16 2022-10-11 Sap Se Bi-directional content replication logic for enterprise threat detection
US10764306B2 (en) 2016-12-19 2020-09-01 Sap Se Distributing cloud-computing platform content to enterprise threat detection systems
US10728261B2 (en) * 2017-03-02 2020-07-28 ResponSight Pty Ltd System and method for cyber security threat detection
US11410054B2 (en) 2017-03-15 2022-08-09 Kyndryl, Inc. Cognitive prediction of problematic servers in unknown server group
US10503908B1 (en) * 2017-04-04 2019-12-10 Kenna Security, Inc. Vulnerability assessment based on machine inference
US10469517B1 (en) * 2017-05-08 2019-11-05 Wells Fargo Bank, N.A. Centralized security for connected devices
US10474843B2 (en) 2017-05-09 2019-11-12 International Business Machines Corporation Identifying stolen databases
CN107292178B (en) * 2017-05-12 2020-12-01 北京计算机技术及应用研究所 Security vulnerability threat quantification method based on multi-level influence factors
US10530794B2 (en) 2017-06-30 2020-01-07 Sap Se Pattern creation in enterprise threat detection
US11934937B2 (en) 2017-07-10 2024-03-19 Accenture Global Solutions Limited System and method for detecting the occurrence of an event and determining a response to the event
US11093617B2 (en) * 2017-10-04 2021-08-17 Servicenow, Inc. Automated vulnerability grouping
US11636416B2 (en) 2017-11-13 2023-04-25 Tracker Networks Inc. Methods and systems for risk data generation and management
US10999301B2 (en) * 2017-11-27 2021-05-04 International Business Machines Corporation Methods, systems, and program product for analyzing cyber-attacks based on identified business impacts on businesses
US10986111B2 (en) 2017-12-19 2021-04-20 Sap Se Displaying a series of events along a time axis in enterprise threat detection
US10681064B2 (en) 2017-12-19 2020-06-09 Sap Se Analysis of complex relationships among information technology security-relevant entities using a network graph
US10862915B2 (en) 2018-02-06 2020-12-08 Bank Of America Corporation Exception remediation logic routing and suppression platform
US11089042B2 (en) 2018-02-06 2021-08-10 Bank Of America Corporation Vulnerability consequence triggering system for application freeze and removal
US10812502B2 (en) 2018-02-06 2020-10-20 Bank Of America Corporation Network device owner identification and communication triggering system
US10819731B2 (en) 2018-02-06 2020-10-27 Bank Of America Corporation Exception remediation logic rolling platform
US11265340B2 (en) 2018-02-06 2022-03-01 Bank Of America Corporation Exception remediation acceptable use logic platform
US10791137B2 (en) * 2018-03-14 2020-09-29 Synack, Inc. Risk assessment and remediation
US11531762B2 (en) 2018-08-10 2022-12-20 Jpmorgan Chase Bank, N.A. Method and apparatus for management of vulnerability disclosures
US11030321B2 (en) * 2018-10-02 2021-06-08 International Business Machines Corporation Processing and evaluating data based on associated device vulnerability
US11093618B2 (en) * 2018-10-23 2021-08-17 Jpmorgan Chase Bank, N.A. Systems and methods for using an application control prioritization index
US11258817B2 (en) * 2018-10-26 2022-02-22 Tenable, Inc. Rule-based assignment of criticality scores to assets and generation of a criticality rules table
EP3884378B1 (en) 2018-11-19 2024-09-25 Security Compass Technologies Ltd. Automation of task identification in a software lifecycle
US11677773B2 (en) * 2018-11-19 2023-06-13 Bmc Software, Inc. Prioritized remediation of information security vulnerabilities based on service model aware multi-dimensional security risk scoring
US11050777B2 (en) 2018-11-20 2021-06-29 Saudi Arabian Oil Company Method and system for remediating cybersecurity vulnerabilities based on utilization
US12052276B2 (en) * 2018-11-30 2024-07-30 Proofpoint, Inc. People-centric threat scoring
US11171929B2 (en) * 2018-12-17 2021-11-09 International Business Machines Corporation Applying differential security to API message payload data elements
US11120129B2 (en) 2019-01-08 2021-09-14 Intsights Cyber Intelligence Ltd. System and method for detecting leaked documents on a computer network
US11201891B2 (en) * 2019-04-30 2021-12-14 EMC IP Holding Company LLC Prioritization of remediation actions for addressing vulnerabilities in an enterprise system
JP6678798B1 (en) * 2019-05-28 2020-04-08 株式会社ビズリーチ Processing device and processing method
US11368470B2 (en) * 2019-06-13 2022-06-21 International Business Machines Corporation Real-time alert reasoning and priority-based campaign discovery
US11381588B2 (en) 2019-07-30 2022-07-05 Saudi Arabian Oil Company Cybersecurity vulnerability classification and remediation based on installation base
WO2021044408A2 (en) * 2019-09-05 2021-03-11 Cytwist Ltd. An organizational asset discovery and ranking system and method
US10924334B1 (en) * 2019-09-12 2021-02-16 Salesforce.Com, Inc. Monitoring distributed systems with auto-remediation
US11526614B2 (en) * 2019-10-15 2022-12-13 Anchain.ai Inc. Continuous vulnerability management system for blockchain smart contract based digital asset using sandbox and artificial intelligence
US11277433B2 (en) * 2019-10-31 2022-03-15 Honeywell International Inc. Apparatus, method, and computer program product for automatic network architecture configuration maintenance
US11159557B2 (en) * 2019-11-13 2021-10-26 Servicenow, Inc. Network security through linking vulnerability management and change management
CN110991906B (en) * 2019-12-06 2023-11-17 国家电网有限公司客户服务中心 Cloud system information security risk assessment method
US11861015B1 (en) * 2020-03-20 2024-01-02 Tripwire, Inc. Risk scoring system for vulnerability mitigation
US11888887B2 (en) * 2020-04-27 2024-01-30 Kenna Security Llc Risk-based vulnerability remediation timeframe recommendations
US11509677B2 (en) * 2020-05-05 2022-11-22 Uber Technologies, Inc. Automatically detecting vulnerability remediations and regressions
US11503063B2 (en) 2020-08-05 2022-11-15 Cisco Technology, Inc. Systems and methods for detecting hidden vulnerabilities in enterprise networks
CN112565221B (en) * 2020-11-26 2022-12-16 国网数字科技控股有限公司 Vulnerability detection method, device, system and platform
US20230185921A1 (en) * 2021-12-14 2023-06-15 Vdoo Connected Trust Ltd. Prioritizing vulnerabilities
US12088618B2 (en) * 2022-06-20 2024-09-10 Qualys, Inc. Methods and systems for asset risk determination and utilization for threat mitigation
US11943131B1 (en) 2023-07-26 2024-03-26 Cisco Technology, Inc. Confidence reinforcement of automated remediation decisions through service health measurements

Family Cites Families (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7380270B2 (en) 2000-08-09 2008-05-27 Telos Corporation Enhanced system, method and medium for certifying and accrediting requirements compliance
US6807569B1 (en) 2000-09-12 2004-10-19 Science Applications International Corporation Trusted and anonymous system and method for sharing threat data to industry assets
US7340776B2 (en) * 2001-01-31 2008-03-04 International Business Machines Corporation Method and system for configuring and scheduling security audits of a computer network
AU2002360844A1 (en) * 2001-12-31 2003-07-24 Citadel Security Software Inc. Automated computer vulnerability resolution system
US7257630B2 (en) 2002-01-15 2007-08-14 Mcafee, Inc. System and method for network vulnerability detection and reporting
US7552480B1 (en) 2002-04-23 2009-06-23 Citibank, N.A. Method and system of assessing risk using a one-dimensional risk assessment model
US8201257B1 (en) 2004-03-31 2012-06-12 Mcafee, Inc. System and method of managing network security risks
US7761918B2 (en) 2004-04-13 2010-07-20 Tenable Network Security, Inc. System and method for scanning a network
US8020210B2 (en) 2004-06-09 2011-09-13 Verizon Patent And Licensing Inc. System and method for assessing risk to a collection of information resources
US7278163B2 (en) * 2005-02-22 2007-10-02 Mcafee, Inc. Security risk analysis system and method
US7962960B2 (en) 2005-02-25 2011-06-14 Verizon Business Global Llc Systems and methods for performing risk analysis
WO2007004209A1 (en) 2005-06-30 2007-01-11 Raw Analysis Ltd. Method and system for network vulnerability assessment
US8095984B2 (en) 2005-09-22 2012-01-10 Alcatel Lucent Systems and methods of associating security vulnerabilities and assets
US7908657B1 (en) 2005-09-29 2011-03-15 Symantec Corporation Detecting variants of known threats
US8392997B2 (en) * 2007-03-12 2013-03-05 University Of Southern California Value-adaptive security threat modeling and vulnerability ranking
US8402546B2 (en) 2008-11-19 2013-03-19 Microsoft Corporation Estimating and visualizing security risk in information technology systems
US8302198B2 (en) 2010-01-28 2012-10-30 Tenable Network Security, Inc. System and method for enabling remote registry service security audits
US8707440B2 (en) 2010-03-22 2014-04-22 Tenable Network Security, Inc. System and method for passively identifying encrypted and interactive network sessions
US8495757B2 (en) 2010-04-22 2013-07-23 Hewlett-Packard Development Company, L.P. System and method for placing an electronic apparatus into a protected state in response to environmental data
US20120203590A1 (en) 2011-02-04 2012-08-09 Bank Of America Corporation Technology Risk Assessment, Forecasting, and Prioritization
US20120215575A1 (en) * 2011-02-22 2012-08-23 Bank Of America Corporation Risk Assessment And Prioritization Framework
US8789192B2 (en) 2011-05-23 2014-07-22 Lockheed Martin Corporation Enterprise vulnerability management
US9141805B2 (en) 2011-09-16 2015-09-22 Rapid7 LLC Methods and systems for improved risk scoring of vulnerabilities
US8595845B2 (en) 2012-01-19 2013-11-26 Mcafee, Inc. Calculating quantitative asset risk
US10198581B2 (en) 2012-03-07 2019-02-05 Rapid7, Inc. Controlling enterprise access by mobile devices
US9043920B2 (en) 2012-06-27 2015-05-26 Tenable Network Security, Inc. System and method for identifying exploitable weak points in a network
US20140172495A1 (en) 2012-12-16 2014-06-19 Mcafee, Inc. System and method for automated brand protection
US9954883B2 (en) 2012-12-18 2018-04-24 Mcafee, Inc. Automated asset criticality assessment
US20150237062A1 (en) 2014-02-14 2015-08-20 Risk I/O, Inc. Risk Meter For Vulnerable Computing Devices
US8984643B1 (en) 2014-02-14 2015-03-17 Risk I/O, Inc. Ordered computer vulnerability remediation reporting

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10298608B2 (en) * 2015-02-11 2019-05-21 Honeywell International Inc. Apparatus and method for tying cyber-security risk analysis to common risk methodologies and risk levels
US11741196B2 (en) 2018-11-15 2023-08-29 The Research Foundation For The State University Of New York Detecting and preventing exploits of software vulnerability using instruction tags
US12061677B2 (en) 2018-11-15 2024-08-13 The Research Foundation For The State University Of New York Secure processor for detecting and preventing exploits of software vulnerability
CN113139191A (en) * 2021-03-25 2021-07-20 国网浙江省电力有限公司衢州供电公司 Statistical method for bug disposal repair priority
US20230019180A1 (en) * 2021-07-08 2023-01-19 Bugcrowd Inc. Automated Prediction Of Cybersecurity Vulnerabilities

Also Published As

Publication number Publication date
US9825981B2 (en) 2017-11-21
US8984643B1 (en) 2015-03-17
US20160072835A1 (en) 2016-03-10
US20150237065A1 (en) 2015-08-20
US9270695B2 (en) 2016-02-23
US10305925B2 (en) 2019-05-28

Similar Documents

Publication Publication Date Title
US10305925B2 (en) Ordered computer vulnerability remediation reporting
US8966639B1 (en) Internet breach correlation
US20150237062A1 (en) Risk Meter For Vulnerable Computing Devices
US11886464B1 (en) Triage model in service monitoring system
US12019740B2 (en) Automated cybersecurity threat detection with aggregation and analysis
US10942960B2 (en) Automatic triage model execution in machine data driven monitoring automation apparatus with visualization
US11757938B2 (en) Method, apparatus, and computer-readable medium for data protection simulation and optimization in a computer network
US9813454B2 (en) Cybersecurity training system with automated application of branded content
US10462176B2 (en) Method and apparatus for reducing security risk in a networked computer system architecture
US9898708B2 (en) Uplifting of computer resources
US20190147376A1 (en) Methods and systems for risk data generation and management
CN109582405B (en) Security survey using a card system framework
US20200012990A1 (en) Systems and methods of network-based intelligent cyber-security
US10635857B2 (en) Card system framework
US20200067853A1 (en) Information management apparatus and information management method
JP2021152929A (en) Terminal management device, terminal management method, and program
US11822671B2 (en) Information processing device, information processing method, and non-transitory computer readable medium for identifying terminals without security countermeasures
CN109582406B (en) Script-based security survey using a card system framework
US10877946B1 (en) Efficient incident response through tree-based visualizations of hierarchical clustering
US20190081988A1 (en) Security management apparatus, central security management apparatus, security management method, and computer readable medium

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: SMAL); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Free format text: ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: SMAL); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: KENNA SECURITY, INC., ILLINOIS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ROYTMAN, MICHAEL;BELLIS, EDWARD T.;HEUER, JEFFREY;SIGNING DATES FROM 20140208 TO 20140214;REEL/FRAME:055923/0594

AS Assignment

Owner name: RISK I/O, INC., ILLINOIS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ROYTMAN, MICHAEL;BELLIS, EDWARD T.;HEUER, JEFFREY;SIGNING DATES FROM 20140208 TO 20140214;REEL/FRAME:055948/0164

AS Assignment

Owner name: RISK I/O, INC., ILLINOIS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ROYTMAN, MICHAEL;REEL/FRAME:056148/0952

Effective date: 20150224

AS Assignment

Owner name: KENNA SECURITY, INC., ILLINOIS

Free format text: CHANGE OF NAME;ASSIGNOR:RISK I/O, INC.;REEL/FRAME:056173/0491

Effective date: 20150731

AS Assignment

Owner name: KENNA SECURITY LLC, ILLINOIS

Free format text: CHANGE OF NAME;ASSIGNOR:KENNA SECURITY, INC.;REEL/FRAME:057559/0618

Effective date: 20210702

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4